<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=522217871302542&amp;ev=PageView&amp;noscript=1">

Vulnerability Assessments vs. Penetrating Testing. Is there really a difference?

Posted by Joshua Harp on May 22, 2017 12:26:30 PM

vulnerability assessmentPuzzled on Services? Fit the pieces together with vulnerability assessments and penetration testing.

Growing businesses come with more opportunities for security breaches, the need for your customers’ to understand the differences between a vulnerability assessment and a penetration test becomes a necessity.  Some will say that there is an overlap and similarities between these, however, the opposite could not prove to be truer.

To put it simply, a vulnerability assessment looks for known or unknown vulnerabilities within a company’s network and provides a report on potential exposures. Whereas a penetration test looks for and attempts to penetrate and exploit critical systems within the network.

Assess or Test?

A leader in information security research, SANS, defines vulnerabilities as the “gateways by which threats are manifested.”1 Meaning, a company’s network can be compromised through a single weakness exploited within any given system. The goal of vulnerability assessments should be to find weaknesses and potential exposures in a network so that necessary patches can be applied or preventative measures put in place.

Most companies asking to have a penetration test conducted will already have security measures in place to address or mitigate any known vulnerabilities. Thus the purpose of a penetration test could be to evaluate how their intrusion detection and response capabilities are handled or to increase management’s awareness of possible security issues.

Vulnerability assessments differ greatly from a penetration test because the goal of any penetration test is an attempted breach of a company’s network. This emulates an intruder coming to a house, surveying the possibilities of breaking in, evaluating those possibilities and then ultimately trying to gain and retain access to that house. This should never be sold as or considered a full security audit. However, a penetration test does provide a view of how well a company is implementing security within their network.

The question now becomes, which does a company need?

If a company does not know the assets that reside within their network producing the hidden gateways to which threats will be manifested; they should have a vulnerability assessment conducted first. As these assessments provide an in-depth review of all servers and network devices to aid in identifying more issues faster as opposed to a penetration test. This statement, however, is not meant to nullify the value from a penetration test. Vulnerability assessments fall short by the fact they do not reflect the extent to which a hacker will go.

This is where a penetration test comes to play. From a vulnerability assessment, a company is now aware of the gateways to which threats are manifested. Due to high cost, dependencies or unwillingness to patch vulnerabilities, the company remains open to security risk. Therefore, they may purchase appliances, applications and establish security procedures to help lower that risk. But how would they know what they’ve put in place will actually protect their company? Conducting a penetration test will show them exactly that.  Penetration testers have the mindset of a hacker, exploring every avenue to gain and retain entry to the network. This helps verify the safeguards put in place, making sure that they actually work. Why should the single unpatched vulnerability without proper intrusion detection and response be the gateway a hacker uses to infiltrate?

Would you like to learn more about what is the best fit for your customers? Contact your Tech Data account representative or email us at securityservices@techdata.com.

Sources:

  1. “SANS Institue InfoSec Reading Room.” 2001

Tags: Security, Cybersecurity, Technologies, vulnerability assessment, penetration testing, security

Subscribe to Email Updates