Vulnerability Assessment vs. Penetration Test

It is all about Vulnerabilities. 

So, what is the Vulnerability? It is a Weakness in an Information System or System Security Procedures or Internal Controls or System Design or System Implementation or Configuration/Setup that will raise risk and expose it to be exploited or triggered by a threat actor. 

As Window Snyder - Chief Security Officer at Square, Inc. said: "One single vulnerability is all an attacker needs.".  

To find this vulnerability we need to search for it and to search for it we need to test the system from a security perspective to find it. So, Security Testing is to identify the threats in or on the system and measure its potential vulnerabilities "Weaknesses" so these threats and vulnerabilities must be remediated to reduce the risk. In other words, Security Tests are to identify all possible loopholes and weaknesses of the system which might result in a loss of information, revenue, repute at the hands of the employees or outsiders of the Organization.

There is a considerable amount of confusion in the industry regarding the differences between Vulnerability Scanning/Assessment (VA) and Penetration Testing (Pentest), as the two phrases are commonly interchanged. However, their meaning and implications are different. 

The Vulnerability Assessment simply identifies and reports known vulnerabilities, whereas a Penetration Test (Pentest) identifies known/unknown vulnerabilities and attempts to exploit them to determine whether unauthorized access or other malicious activity is possible. Sure, I will not depend on these definitions. I will elaborate more about it later in this article. But, to start we need to know at least a simple definition of these two essential tests in Information Security.

Before start explaining about definitions of these tests. I would like to explain why I prefer to begin the article with the Vulnerability Assessment then moves to Penetration Test. 

Vuleraibiltiey Assessment is a standalone exercise and also it is one of the fundamental phases in Penetration Testing. So, starting with Vulnerability Assessment will save us some time by not repeating the same definition when we reach it in the Pentation Test.  

What is Vulnerability Assessment (VA)? 

Many organizations undertake vulnerability assessments to tick a box, usually for compliance. Which is a wrong understanding for a very very very important and cornerstone exercise in Information Security !!! Imagine a thief reconnaissance for and identifying a back entrance to your house, but not entering. And you don't know about that back entrance. Isn't that will be scary because he/she may use it to harm you somehow. So, you should be alerted and close this entrance.

Vulnerability Assessment is a scan which is following a process of identifying, quantifying, and prioritizing (or ranking) the severity of the vulnerabilities in a system based on known vulnerabilities. It uses an automated tool in this process to check the systems if it has vulnerabilities.

These tools depend on Known Vuleraibilties retrieved from the Vulnerability Database like OSVDB, NVD,...etc. Which is updated frequently with the latest vulnerabilities.

The results of the scan will show how an application, website, server, or other systems are vulnerable, but it doesn’t exploit it.

This exercise is not fully automated it needs the involvement of an Infosec expertise to analyze the resulted report then filter out the false positive based on research that he/she will perform and his/her experience. Moreover, filtering and sorting the results of the report has to be based on Business Criticality because not all vulnerabilities will be patched as soon as the report is released. In the last stage, a final report will be shared with the concerned team like System Administrator or Network Administrator. Accordingly, they can work on remediating the vulnerabilities. Just to mention that this is one of the main phases that is performed by adversaries "Hackers" while they are planning to attack you.

Performing a Vulnerability Assessment on your organization's Systems, Servers, and Applications more frequently is recommended. The schedule for this exercise must be performed at least every month or less on critical Business Systems. Also, it is recommended to be performed on newly implemented applications, Servers, and Systems before launching it.

The article "Vulnerability Management (VM) vs. System Admins. It is a challenge !!!" will explain more about the implementation of Vulnerability Assessment and Vulnerability Manamgnet in the organization.

What is the Penetration Test (Pentest)? 

Penetration testing is a monitoring control, which periodically checks the efficiency of the vulnerability management process. If vulnerability management is done right, penetration testing should turn out to be a “blank report”. Which is not easy!!!

Penetration testing is a method of identifying and testing vulnerabilities or gaps in IT security (systems or networks or applications) that could be exploited in external or internal organization infrastructure or applications, leaving your business at greater risk. A penetration test usually begins with an automated vulnerability scan but goes into far more depth. In our thief scenario, this time they are checking for a back entrance and then actually entering the building.

This testing many people might consider ‘hacking’ which is a systematic examination of organization applications or networks or systems undertaken by qualified, experienced security experts (consultants) who have been given permission to exploit the vulnerabilities and misconfigurations they find to determine their potential impact. The consultant will work to a defined test methodology to enter the network through the identified gaps (hence the term, ‘penetration’), using their knowledge, Open Source information, and a range of tools. 

Once vulnerabilities have been identified and tested in your systems and networks, they provide expert advice for strengthening your defenses and how to remediate them by issuing a comprehensive report about the full pentest exercise. 

Penetration testing is not enough by itself because it is an exercise that will consume time and effort so it will take a longer time than Vulnerability Assessment. So, Penetration testing frequency to be performed on the organization as highly regulated industries is once or twice a year it will be enough. Just to mention in this part that Penetration testing can be done on newly developed and implemented applications or systems before or after it went live. But that will not replace the application security review testing phase on the newly developed applications or systems that need to be performed as part of the application or system project test phase.

Going through all Security Tests will take longer and will make this article boring. The purpose of this article is to explain the difference between VA (VuleraibiltiyAsssessment) and PT (Pentest) only. 


By Abdulla Abusaif, CISSP, GMON, PMP, CEH, Security


Comments

  1. Ana CyberJuly 3, 2021 at 2:25 PM

    Assessing potential threats is essential to detect vulnerabilities. An effective cyber security strategy includes vulnerability assessment services and strategies to secure data and system in order to avoid potential risk. Thank you for sharing this. Information Security Auditing

    ReplyDelete
    Replies
    1. Abdulla AbusaifNovember 4, 2021 at 11:35 PM

      Agree. thank you for sharing your opinin and comments.

      Delete
  2. Trusted Business SolutionsSeptember 6, 2021 at 1:42 PM

    This blog is really helpful to deliver updated affairs over internet which is really appraisable. Fortinet managed services

    ReplyDelete
  3. Ana CyberNovember 12, 2021 at 2:51 AM

    Very insightful information you have shared here about vulnerability assessment and pen testing. I appreciate the author's efforts in writing such an amazing article. Thank you for sharing this. Great blog. Find cyber security companies in Mumbai.

    ReplyDelete
  4. James ZicrovApril 28, 2022 at 12:20 PM

    Nice post ... but but I feel it’s time to raise the qualities of your posts.:)

    Application Vulnerability Scan

    ReplyDelete
  5. rainiabeeNovember 7, 2022 at 7:53 AM

    Be positive to use your Thunder Rewards card to qualify, ought to a bonus jackpot strike your machine. In terms of payout rates and reliability, free slots and 먹튀사이트 먹튀프렌즈 classic slots are just about alike. Classic slots are identified for their long-term payout rates, whereas free slots are identified for their fast hit price.

    ReplyDelete
  6. cottondayzApril 3, 2023 at 9:19 AM

    Impressive and powerful suggestion by the author of this blog are really helpful to me.
    Cotton Women's Clothing Australia

    ReplyDelete

Post a Comment

Popular posts from this blog

Information Security in Organization Structure (CISO)

In this article, I will introduce the concept of Information Security (InfoSec) as an independent section or department in the organization. I will start from the beginning by explaining what is information and what is information in the organization until we reach to a point where we can differentiate between Information Technology (IT) and Information Security (InfoSec) which is somehow related terms and also a related department in the organization. But, it should to independent departments in the organization. Just to mention at the beginning that the purpose of this article is not to reduce the importance of IT in the organization but to clarify that IT is a department that is handling an important part of the organization strategy and goals and InfoSec also handling another impotent part of the organization strategy and goals. Better to start by explaining what is Information. It is something that people can learn, know about, or understand. For example, the book contain
Read more

Vulnerability Management (VM) vs. System Admins. It is a challenge !!!

I was facing problem in arranging my thoughts on how I can manage the vulnerability scan results of the servers and other equipment on my network.  I wrote this article to bring the results of the research that I performed in this field to help others in managing the vulnerabilities and resolve it as soon as possible. Because the main factor in vulnerability management is time as soon as you resolve it as soon as you will be secure.    Vulnerability assessment (VA)  is part of the vulnerability management (VM) tasks that the security professional perform on regular basis. The first step in any VM task is to discover your network and find all the assets you have to assess the vulnerabilities on it. So, you need a tool to map and discover your network and run it. Keep in mind to perform the discovery scan on a frequent basis to keep your asset list up to date.  The second step reviews the results and group  the assets based on an operating system that assets run on. The method I u
Read more