As I continue to engage prospective clients regarding their security needs, there seems to be clear confusion regarding the difference between Vulnerability Assessments and Penetration Testing and what clients want or need.
Surprisingly, whether you are required to conduct security assessments due to regulatory requirements or if you are simply taking steps to establish or verify your current security controls, in most cases a Vulnerability Assessment may a very good option.
By design, Vulnerability Assessments are a non-intrusive way to identify and quantify security vulnerabilities that exist in your environment. The assessment is an evaluation of your information security posture which should include indicating weaknesses as well as provide appropriate mitigation steps to either eliminate or reduce weaknesses to an acceptable level of risk. In most cases, a Vulnerability Assessment will follow these four steps:
- Catalog Assets and Resources
- Identify Critical Resources, Processes, and Policies
- Highlight Security Vulnerabilities as they relate to the identified resources, processes, and policies.
- Provide Actionable Steps to Mitigate and/or Eliminate the most serious vulnerabilities identified.
“Although Vulnerability Assessments and Penetration Testing are combined to provide clients with a broader picture of their security posture, they differ drastically.”
In contrast to a Vulnerability Assessment, a Penetration Test is meant to simulate a bad actor attempting to gain access to systems via research on platform and exploitations of vulnerabilities.
Engineers and Security experts essentially are paid to “hack” a client’s system. Using many different methods such as SQL injection, password cracking, and buffer overflow, engineers will try to prove that vulnerabilities can be exploited. In addition, depending on the type and scope of a Penetration Test, they vary from non-intrusive to very intrusive – very intrusive tests require execution during off-hours to mitigate performance issues and/or outages. Many vendors price and position this service differently – speaking for Weidenhammer, our Team first determines the environment in which the test is to occur; we carefully discuss and review the rationale for the test to ensure we execute the right test for each situation; and finally we ask the client how far they wish us to take the test. In most cases, demonstrating that we were able to gain access is enough, and in others, clients ask our Team to go as far as they can – penetrate the network, exploit servers and other hardware/software in an effort to gauge how far the “rabbit hole” goes.
So what is right for you?
Well, it depends on your current security posture and confidence in your security program. In addition, regulatory and compliance requirements should play a factor in the decision. However, in most cases, a Vulnerability Assessment is the ideal first step. It helps organizations identify potential threats and provides a roadmap to assist them in closing those gaps within their infrastructure.