Penetration Test Versus Vulnerability Assessment

The Difference Between Technical Security Weaknesses Discovery Techniques

For years customers have been confused what is the difference between a Penetration Test and a Vulnerability Assessment, with CREST officially launching separate accreditation for the two techniques now.

Vulnerability Assessments are most often used by organisations when they want to identify the vulnerabilities present in their infrastructure and get a high-level overview of their security posture. It involves an external approach and includes automated processes.

“Vulnerability assessment (sometimes referred to as ‘scanning’) is the use of automated tools to identify known common vulnerabilities in a system’s configuration.”

-CREST

Through this exercise, the company can discover system and software vulnerabilities. Examples of well-known software issues, often patched through updates, include remote code execution, denial of service, information disclosure.

Vulnerability Assessments are useful for companies who do not have visibility or understanding of their security posture. For organisations with legacy infrastructure, it is a quick, cost-effective way to identify and focus on software versions and systems that can be fixed easily.

Bigger organisations tend to perform a Vulnerability Assessment at least every quarter, as both a Penetration Test and Vulnerability Assessment provide a correct analysis of your security posture at the time of examination.

There are different levels of a Vulnerability Assessment. The automated part does not require highly skilled engineers, which may be the service you get from certain vendors. However, our experience and team bring additional value through Open Source Intelligence (OSINT) gathering exercises as well as the aftercare we are able to provide customers.

A Penetration Test is different to a Vulnerability Assessment as it not only identifies cyber issues within the company’s infrastructure, systems and operations but also exploits these vulnerabilities and if necessarily combines them to achieve a specific objective.

For example, if the Pen Tester’s objective is to gain internal network access they would find a vulnerability that allows them to upload files, then another one that lets them find those files, and another one that marries these up to execute something malicious.

“A Penetration Test is typically an assessment of IT infrastructure, networks and business applications to identify attack vectors, vulnerabilities and control weaknesses.”

– CREST

We use a simple allegory to a network – a house. A vulnerability Assessment would identify problem areas such as a rusty lock, a half-opened window, a garbage bin that someone can step on, but stop at that. A Penetration Test would also involve someone trying to exploit these findings to break into the house – checking if the rusty lock is unlocked or if they can step on the garbage bin to access the opened window.

However, while a Pen Test brings more value to a company compared to a Vulnerability Assessment, both have their uses and applications. It allows for a staged approach, as without a prior vulnerability assessment a Pen Test report may include an overwhelmingly long list of issues.

A Vulnerability Assessment allows an engineer to have a more targeted Pen Test approach adding more value to the customers. However, a Pen Test requires more resources, manual checks and even physical attempts to achieve a malicious cyber objective. It takes much longer compared to a Vulnerability Assessment. The latter would typically take a maximum of a day, while a penetration test can require more than several days of onsite work. The CyberLab Penetration Testers will perform a vulnerability check as part of the exercise unless the assignment requires ‘undercover’ work since the software for this can be rather ‘noisy’.

 

It is important to note that both a Vulnerability Assessment and a Pen Test are only worthwhile if the organisation actions the remediation actions from the reports, proactively tries to change and improve their security posture.

CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security market (Source: CREST).

CREST officially launched a Vulnerability Assessment (VA) Accreditation discipline from the 1st of October, which CyberLab is certified under along with Cyber Essentials, Cyber Essentials Plus and Penetration Testing.

Among the benefits of using a CREST certified provider are the objectivity and the quality guarantee. All reports created by CyberLab’s Penetration Testing team are vendor agnostic, performed under strict NDAs, kept completely separate to the rest of the business, including other engineers and sales team. This means that while our Pen Testers can make solution recommendation based on an identified vulnerability, they will not be biased towards a vendor that may offer such solutions.

Check our blog for more Pen Testing content or our website to learn more about the penetration testing process.