The terms “vulnerability assessment” and “penetration testing” are often confusing. In many conversations, the terms are either used interchangeably or perceived that one is a subset of the other. Although these two activities can partially overlap, they are distinct activities, and each has its own specific set of goals.
Both vulnerability assessments and penetration tests attempt to identify vulnerabilities that could allow an attacker to compromise your systems. Organizations use the resulting reports to implement controls that help secure those systems. The primary difference between these two activities is that of focus. A vulnerability assessment attempts to identify as many vulnerabilities that exist in a system or environment as possible. A penetration test, on the other hand, is more focused on finding a way to access some protected resource. In other words, a penetration test doesn’t involve finding all the vulnerabilities, just the ones that allow a system to be compromised.
Here’s some guidance on how vulnerability assessments and penetration tests can be best used to provide the greatest value to organizations of any size.
Get TestRail FREE for 30 days!
Many organizations that become interested in being more secure start with some level of vulnerability assessment. This assessment considers a specific environment and attempts to identify its security vulnerabilities. The goal is to be as broad as possible and determine which, if any, of the many known vulnerabilities exist in the assessment’s scope.
It is common for organizations to have their internal personnel conduct the assessments. For smaller organizations, internal assessments may be all that is needed, but larger, more complex environments may need a more extensive assessment that requires external expertise.
Many vulnerability assessment steps can be automated. There are various software tools for this, including OpenVAS, Nessus Professional, Nexpose and Microsoft Baseline Security Analyzer. There are many more general and scope-specific assessment tools, but these are a few of the more common ones.
The typical approach for conducting a vulnerability assessment is to use a collection of tools that scan a group of systems to see if they can detect any known vulnerabilities. Any previously unknown vulnerabilities that security personnel discover are submitted to general repositories of vulnerabilities.
The most well-known vulnerability repository is the Common Vulnerability and Exposures (CVE) database, which has been maintained by the MITRE corporation for nearly 20 years. Some researchers have proposed an alternative to the CVE database called the Distributed Weakness Filing (DWF) repository. These two repositories contain extensive collections of identified vulnerabilities.
The general vulnerability assessment process is to periodically scan a computing environment to identify as many vulnerabilities found in the CVE or DWF repositories as possible. There are other more detailed steps in the process to ensure each system in scope complies with industry best practices. The team conducting the assessment then creates a report that contains all identified vulnerabilities, ranked by severity, and remediation recommendations for each one. It is recommended to conduct such an assessment quarterly, as new vulnerabilities are discovered daily.
A penetration test, commonly called a pen test, is more focused than a vulnerability assessment. The purpose of a pen test is to attempt to compromise a protected resource. Pen testers aren’t interested in identifying and documenting all the vulnerabilities in an environment; they just want to find a way to break in. The focus of a pen test is on depth, or how far they can “reach into” an environment, as opposed to the broad focus of a vulnerability assessment.
Pen testers may initially use some of the same tools that vulnerability assessors use, but the goal is just to identify the easiest access path. While a vulnerability assessment may rely on automated tools, pen testing normally extends far beyond software tools. An effective pen test is quite labor-intensive and relies more on skill and experience than most vulnerability assessments. The main reason for this is that pen testers must effectively assess an environment and capitalize on any security weaknesses. These weaknesses don’t have to be technical gaps, either: People are often the weakest link in any strategy.
One of the biggest differences between vulnerability assessments and pen tests is the use of social engineering. Pen testers can essentially use any means, including technical and nontechnical tactics, to compromise existing security controls. Carrying out social engineering attacks can be fun and productive. Regardless of how sophisticated an organization’s technical security controls are, good pen testers know that it only takes one careless or distracted user to provide an opening that can be exploited. People are hard to assess for their ability to resist social engineering attacks, and they generally want to be helpful, so you’ll see many pen testers leverage people in their attacks.
While a vulnerability assessment report will contain details of many vulnerabilities, the pen test report simply details in what ways the attacks were successful. While the pen test report may contain a narrative of attack paths that were not successful, the bulk of the report focuses on what vulnerabilities allowed the compromise to succeed and how the attack could have been stopped. The content of the report helps the organization determine how to deter real attackers from using the same tactics to break in.
Pen tests can be carried out less frequently than vulnerability assessments: Annual pen testing should be sufficient.
Which Should You Choose?
Vulnerability assessments and pen tests each have value and can help make organizations more secure. The right choice for a specific organization and circumstance depends on several factors, but the most important is probably how mature the organization’s security policy is.
If your organization is just starting to focus on security, a solid vulnerability assessment is a great place to start. You’ll likely uncover more vulnerabilities than you thought were present. If this is your first time conducting a vulnerability assessment, try using a straightforward software tool like Nexpose or Microsoft Baseline Security Analyzer. These tools are fairly easy to learn and use and will provide a good list of discovered vulnerabilities. After you’ve carried out a few assessments, take a look at OpenVAS or Nessus Professional. These two are a little more complex but provide far greater coverage of environmental vulnerabilities.
On the other hand, if you have already conducted several vulnerability assessments and want to see how well you’ve secured your system, then a pen test may be in order. Pen tests may be conducted by internal personnel, but it is a little more common to engage external resources that excel at conducting pen tests. Carrying out effective pen testing requires a particular set of skills, and those skills take time and experience to acquire. A good pen tester can efficiently devise an attack plan that follows the most likely weak controls. Those are the ones you most need to mitigate.
As your security readiness matures, you’ll probably use both vulnerability assessments and pen tests. They work well together to make your environment difficult to compromise.
Article written by Michael Solomon PhD CISSP PMP CISM, Professor of Information Systems Security and Information Technology at University of the Cumberlands.
Test Automation – Anywhere, Anytime