A subject that is coming up more and more often at my clients is the difference between vulnerability assessments and penetration testing. These two terms appear to be used interchangeably among executives, however they are very different. Fundamentally, one is a defensive process, and the other is offensive. Let’s dive into it a bit further.
Servers are vulnerable targets. This is why we have firewalls, regular patches and updates, and tools like anti-virus and malware detection. Vulnerability Assessments are often automated processes that look at the current state of your systems, identifying whether there are any vulnerabilities in the way your systems are currently configured. A system may be vulnerable due to a critical security flaw that needs to be patched with the latest update, or it could be that a firewall has been incorrectly configured and there is a port open that should not be – allowing for external access to the network. Vulnerability scanning also extends to “edge networks”, the ingress points into your network such as web servers and remote access. It can automatically scan for expired certificates, insecure settings or outdated/unnecessary protocols enabled.
Given the nature of these assessments – checking for software or port related vulnerabilities – the tests can be easily automated for defense of a network. Regular testing, either on a monthly basis or on each configuration change, is vital to the security of a network from a pro-active security stance. If you are hosting services, you should be testing for vulnerabilities. New vulnerabilities are identified regularly, manual checks just aren’t the answer.
Servers are vulnerable targets, yet again, however more vulnerable than servers are the staff in an organisation and the processes and procedures they use. Penetration testing is a much broader term that takes an offensive stance. Penetration Testing (or Pen Testing for short) involves an experienced tester trying to force their way into your network by any means necessary. It’s an active attack from many angles (both technological and social) in order to identify weak spots in your organisation.
These tests take a long time coupled with intense specialist skill by the tester, hence are much more expensive than a Vulnerability Assessment. In general, Pen Testing is performed much less frequently than Vulnerability Assessment, around once or twice a year depending on the application and necessity. The goal of Pen Testing is to identify the unknown weaknesses in the organisation, and can go to the extent of physical break-in to premises in order to exploit and extract data from a company.
Much like auditing, it’s recommended that Pen Testing be performed by a third party in order to maintain objectivity during the test. Tests run internally, while valuable, can be subjective as employees are aware of loopholes in process or they may glance over something that a third party would not.
Which Should I Use?
You should not see these aspects as exclusive of one another. Both are vital to a strong security stance and identifying weaknesses from multiple attack vectors. Ideally, you should be performing vulnerability testing regularly (every one to three months), supported by Pen Testing on a longer term engagements (once or twice a year). The weakest link in the security chain is often the human factor, as such it is also of tremendous importance that staff are trained and aware of the methods out there that penetration testers (or hackers) would use to gain access.
Ross G Saunders Consulting offers both training and penetration testing through a network of specialists and advisors. Should you wish to implement any of the methods in this article, why not reach out for a coffee? We would love to help secure your network and avoid the pitfalls of unknown vulnerabilities in your defenses.