What’s the difference between a vulnerability assessment and a penetration test?
We often get enquiries through to our Sales team asking for a penetration test, but really the enquirer wants a vulnerability assessment (also referred to as a vulnerability scan). And conversely, many people ask for a vulnerability assessment when what they really need is a penetration test.
They are different services, so why all the confusion?
Often, it’s a problem of miscommunication because many people use the two terms interchangeably, as the two look very similar from afar. However, up close it’s a very different story.
Essentially, the vulnerability assessment is an automated scan used to identify vulnerabilities while a penetration test aims to exploit those vulnerabilities to get a deeper understanding of the holes in your defences.
Let’s look at each option:
What is a vulnerability assessment?
A vulnerability assessment is a scan. It uses an automated tool to check your systems for known vulnerabilities. Imagine a burglar looking for and identifying a back entrance to your building, but not entering. The results of the scan will show how an application, website or other system is vulnerable, but it doesn’t provide details on what would happen if the vulnerability was exploited.
Many organisations undertake vulnerability assessments to tick a box, usually for compliance. However, there are limits to a vulnerability assessment because it can’t explain the impact, the ability to pivot on one vulnerability and use another to compromise a system. There is also the possibility of false/true positive/negatives, so it’s important to verify automated results with multiple tools or manual methods.
What is a penetration test?
Penetration testing is a method of identifying and testing vulnerabilities or gaps in IT security that could be exploited in external or internal infrastructure, leaving your business at greater risk. A penetration test usually begins with an automated vulnerability scan, but goes into far more depth. In our burglar scenario, this time they are checking for a back entrance and then actually entering the building (don’t worry, they have permission!).
This testing format—what many people might consider ‘hacking’—is a systematic examination of a network or system undertaken by qualified, experienced security experts who have been given permission to exploit the vulnerabilities and misconfigurations they find to determine their potential impact. The consultant will work to a defined test methodology to enter the network through the identified gaps (hence the term, ‘penetration’), using their knowledge, Open Source information, and a range of tools. Once gaps have been identified and tested in your systems and networks, they provide expert advice for strengthening your defences.
A side-by-side comparison: vulnerability assessment vs. penetration testing
To more easily illustrate what is included in each service, we’ve put together this handy comparison of a vulnerability assessment and a generic penetration test (each test will depend upon the system being examined).
As you can see, a penetration test is significantly more in-depth than a vulnerability assessment. While a penetration test generally includes an initial automated vulnerability scan, it’s the manual exploitation of those vulnerabilities that requires a wide range of skills and time.
Which is right for your organisation?
Think of a vulnerability assessment as a one-size-fits-all high-level automated scan that picks up the most common vulnerabilities. It’s cheaper and quicker because it isn’t resource intensive and could be considered as a health check (like running a virus scan on a laptop, but across a whole network).
While a vulnerability assessment is often conducted as a mandatory exercise as part of complying with regulatory requirements, such as PCI DSS or ISO 27001, it is strongly recommended that vulnerability assessments are conducted regularly; on all new devices before deployment and again throughout the year (like a fire drill).
A penetration test is the difference between ‘ticking a box’ and being confident you have looked at your vulnerabilities from every angle. The testing is undertaken by humans who understand the nuances of how businesses work—unlike automated scanning software, they can ask questions when something doesn’t seem quite right (which is important for ongoing business operations).
Much like carrying out an annual service on your car, we recommend regular penetration testing for all businesses to ensure ongoing mitigation of risk; however, it is even more important if you’re introducing new technologies to the workplace, moving to the cloud, outsourcing IT, have experienced a breach in the past, or aren’t confident you know how mature your security is.
What are you testing?
Whichever you choose truly does depend on the asset being tested; if the asset is low value (i.e. compromise wouldn’t have a devasting effect on operations or reputation), then a vulnerability assessment is probably adequate. However, if the asset is high value (i.e. a breach or failure could cause operational disruption and revenue loss or reputational damage), then it becomes a prime target for threat actors who invest time into finding more ingenious ways to compromise and gain access.
Both options will provide you with a detailed report explaining the findings, the criticality of the vulnerabilities, and present remediation advice. However, the vulnerability assessment report will not cover impact or exploit information, as this can only be gleaned by exploiting the vulnerabilities manually.
It’s important to remember that new vulnerabilities are discovered regularly, so whether you’ve decided that a vulnerability assessment or a penetration test is the best choice for your organisation’s needs, it should be repeated regularly.
How can PGI help?
Penetration testing and vulnerability assessments are important parts of mitigating cyber risk. Our experienced Penetration Testers have worked across a range of industries, finding vulnerabilities that can easily be missed in web applications and IT infrastructure. Our team can also help you to ensure that your systems are configured securely. Help your IT department secure your business and contact us to discuss how we can make the process easier: on +44 (0)845 600 4403 or email us at firstname.lastname@example.org