Read about the differences between vulnerability assessments and penetration testing to learn which is best for your organization.

We all know you are only as strong as your weakest link, and how true that is when it comes to identifying weaknesses and vulnerabilities in your corporate infrastructure. One of the biggest issues I see is many people can't agree on or understand the difference between a vulnerability assessment and a penetration test. This can be VERY problematic if you are trying to protect your organization from a data breach.

Vulnerability management is a critical component of any sound security program no matter the industry, because it enables proactive detection and remediation of critical security vulnerabilities. Security professionals that use vulnerability management tools are able to quickly identify and correct weaknesses before they are exploited, no longer relying solely on defensive security measures for protection.

Defining the difference

Vulnerability assessments or scans are often confused with penetration testing and used interchangeably, but they couldn't be more different. The objective for a vulnerability assessment is to identify and analyze possible vulnerabilities that may be exploited by malicious persons or activities solely from a technological standpoint. There are numerous definitions of vulnerability assessments and scans. For this post, I chose to use the PCI DSS guidance in section 11.2 to help provide guidance and clarity:

Malicious individuals are discovering vulnerabilities constantly. To combat this, you should test your systems, applications and custom software on a regular basis to ensure that security controls continue to reflect an ever-changing environment.

Organizations should run internal and external network vulnerability scans at least quarterly (preferably monthly or more), and especially after any significant change has occurred in the network, such as the addition of new systems, services, applications or other technology installations, changes in network topology, firewall rule or ACL modifications or product upgrades. Vulnerability scans using tools like Nexpose, Qualys, Saint, Nessus, etc. should be properly configured for each network segment, geographical location and in accordance with rules of engagement scheduling. This provides flexibility in identifying specifics for your vulnerability assessment by creating option profiles for each segment to be tested.

A penetration test can be performed as a follow up to a vulnerability assessment, because it actually attempts to exploit identified vulnerabilities that may lead to unauthorized access and interruption, interception, modification or a fabrication of corporate data.

The spirit of a penetration test is to simulate a real-world live attack situation, with the ultimate goal of identifying how far an attacker may be able to penetrate your business. The penetration test will provide the information needed to effectively lock down items such as customer records, financial data and/or intellectual property. A typical hacker takes several logical steps in order to identify and access a specific vulnerability. Your penetration tests should replicate this process to ensure identified vulnerabilities are verified and accurately reported to management.

In addition, defining the success criteria for the penetration test allows the assessment firm to set limits on the depth of the penetration test.

Possible success criteria may include:

  • Direct observation of access to restricted services or sensitive data in the absence of expected security controls
  • Evidence of a compromised asset used by privileged accounts/users to access the sensitive data
  • Compromise of the corporate domain used by privileged users or unauthorized people
  • No compromise of the targeted systems in scope

The success criteria will vary environment to environment and should be established during an initial pre-engagement meeting prior to testing.

To ensure you're managing your technical and operational risk, organizations should perform penetration tests once or twice a year.

Which service is best for my organization?

That depends on your industry and what standards, regulations and frameworks you need to adhere to. If your organization processes, stores and transmits sensitive data, needs to adhere to regulations or wants to protect the confidentiality, integrity and availability of your corporate data, then you're an ideal candidate for these security services. But knowing where to start requires you to know your organization's risk appetite, tolerance and what is required. So make sure you have a discussion with all the right people before enlisting a vendor.

When selecting a vendor, be sure to evaluate their competencies in years of experience, certifications, past performances, last assessment conducted, report format, methodology and approach. Does it align with frameworks like the National Institute of Standards and Technology (NIST) Special Publication 800-115? Is the format easy to understand? Have they conducted a comparable assessment within the past year?

Another thing to keep in mind, is rotating vendors for your security services. It's healthy and wise to keep a fresh set of eyes on your environment, and a little competition never hurt anyone.