Vulnerability assessments and penetration tests are vital to any organization’s vulnerability management program. The two methods provide similar services but offer very different types of value – value the risk management department often doesn’t fully understand.
Ultimately, the organization needs to determine which type of assessment, or combination of assessments, fits its overall IT security strategy best. That decision should be based on a risk assessment as well as the IT infrastructure and management’s input.
In a vulnerability assessment, an automated tool scans the IT infrastructure and reports the results. The tool’s job is to identify all systems and the associated applications and services they are running. Based on this information, the tool attempts to identify issues such as missing patches, default passwords, and known exploits.
All the problems the tool has identified are then presented in a vulnerability assessment report. Note that a typical vulnerability assessment doesn’t include confirmation or validation of the identified issues, so the tool’s accuracy is often not verified. Rather than being removed, false-positive findings are usually left for IT administrators to determine whether they are truly issues.
A vulnerability assessment does not explore a purported issue’s impact outside of rudimentary factors that are often based on tool output. For example, a vulnerability scanning tool would identify a weak password in a database and rank it as a high-risk vulnerability. However, the tool would fail to take into account the fact that the database might not contain sensitive information and that the default password allows no unauthorized user to access the underlying operating system or escalate the user’s privileges.
Overall, vulnerability assessments and the tools used to perform them do identify the first step an attacker might take to access systems and data.
Vulnerability assessments do not comprehensively quantify the potential impact of findings or identify the remediation issues that should be the organization’s real priorities.
Penetration testing, often referred to as “pentesting” or “ethical hacking,” mimics a real-world attacker attempting to access systems and data. The penetration test identifies vulnerabilities and combines or “chains” them together to obtain unauthorized access to sensitive data or administrative control of systems housing sensitive information. Penetration testing typically uses vulnerability scanning software as well as other service-specific tools to efficiently get a picture of a company’s fundamental security in the allotted test time and to identify attack vectors into the organization.
Unlike vulnerability assessments, penetration tests can take into account mitigating controls and the potential impact of a vulnerability. Using the human factor, penetration tests can also chain together identified vulnerabilities in order to understand the potential impact of those vulnerabilities and to dive deeper into the environment, well past layer one.
The Necessity of Both
Both vulnerability assessments and penetration tests are critical to managing risk, and vulnerability management programs usually incorporate both.
The value of a penetration test’s analysis exceeds that of a vulnerability assessment because a penetration test’s scope is greater. The overall cost of pentesting, however, usually prohibits it from being done more than once a year. The simpler vulnerability assessment can usually be executed in-house and is often done quarterly or even monthly, in conjunction with regular vulnerability assessments.
To sum up:
CIOs, audit personnel, and information security officers need to be aware of these two types of assessments and the value of each. The better CIOs and risk managers understand both types of assessments, the better an organization’s comprehensive security strategy will fit the business’s overall goals.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.