What’s the difference between a vulnerability assessment and a penetration test? The answer to that question depends on who you choose to ask. For some people they are effectively one and the same thing; for others there are clear distinctions. So what’s the true position? Are vulnerability assessments and penetration test effectively two sides of the same coin, or are there clear differences between the two? The short answer is that whilst a penetration test may be a form of vulnerability assessment, a vulnerability assessment is definitely not a penetration test.
A vulnerability assessment is the process of running automated tools against defined IP addresses or IP ranges to identify known vulnerabilities in the environment. Vulnerabilities typically include unpatched or mis-configured systems. The tools used to run vulnerability scans may be commercially available versions, or free open-source tools.
The commercial versions typically include a subscription to maintain up-to-date vulnerability signatures similar to anti-virus software subscriptions. These tools provide a straight-forward method of performing vulnerability scanning. Organisations may also choose to use open-source versions of vulnerability scanning tools. The principle advantage of open-source tools is that they allow you to use the same tools of the trade as hackers: after all hackers are unlikely to pay an expensive subscription when they can download tools free. The advantage of using a commercially licensed vulnerability scanner is that there will be a low risk that malicious code is included in the tool.
The purpose of a vulnerability scan is to identify known vulnerabilities so they can be fixed, typically through the application of vendor-supplied patches. Vulnerability scans are critical to an organisations’ vulnerability management programme. The scans are typically run at least quarterly, though many experts would recommend monthly scans.
A penetration test takes the vulnerability assessment to a different level. One of the initial phases performed by a penetration tester is to perform a vulnerability scan to learn the IP addresses, device type, operating systems and vulnerabilities present on the systems, however unlike the vulnerability scan, the penetration tester does not stop there. The next phase of a penetration test is exploitation which takes advantage of the vulnerabilities identified in the system to escalate privileges to gain control of the network or to steal sensitive data from the system. The exploitation phase also uses automated tools which the penetration tester can configure to execute automated exploits against the systems. Experienced penetration testers will also perform manual exploits of the systems vulnerabilities.
Penetration tests are categorized as white box or black box tests. White box tests are performed with full knowledge of the target company’s IT Department. Information is shared with the tester such as network diagrams, IP addresses and system configurations. The white box approach tests the security of the underlying technology. The black box test closely represents a hacker attempting to gain unauthorized access to a system. The IT Department is unaware a test is being performed and the tester is not provided detailed information about the target environment. The black box method of penetration testing evaluates both the underlying technology and the people and processes in place to identify and block a real world attacks.
Both the vulnerability assessment and penetration test should be performed against the internal and external servers and network devices. Testing the external interfaces simulates a hacker attempting to gain access from the Internet through publicly available interfaces. The internal test simulates a rogue employee or unauthorized user who has access to the internal network attempting to escalate their privileges to gain access to internal systems or data.
Although vulnerability assessments and penetration testing have different goals, both should be performed to improve the overall security of the information system by a skilled information security professional. The vulnerability assessment should be performed regularly to identify and fix known vulnerabilities on an on-going basis. The penetration test should be performed by a skilled and experienced penetration tester at least once a year and definitely after significant changes in the information systems environment to identify exploitable vulnerabilities in the environment that may give a hacker unauthorized access to the system.
If your business needs help with penetration testing, security audits or security solutions, please contact Krypsys on 01273 044072 or [email protected].