Vulnerability Assessment versus Penetration Test
What’s the difference?
- What is a Vulnerability Assessment?
- What is the difference between a Vulnerability Assessment and a Penetration Test?
Vulnerability Assessments (VAs) are usually seen as a lesser service when compared to a Penetration Test (Pen Test). However, they are both an essential part of your information security program and should be part of your regular testing schedule.
What is a Vulnerability Assessment?
A Vulnerability Assessment is an automated activity that actively scans for possible security vulnerabilities within an internal or external infrastructure (including all systems, network devices and communication equipment connected to that network) that cybercriminals could exploit.
It is conducted against infrastructure IP addresses and produces a report to identify any issues found and allow you to resolve them.
Examples of issues could be:
- Unpatched software
- Misconfigured or open ports
- Default credentials being used, e.g. admin/admin
- Best practice configuration such as insecure communication protocols, e.g. older TLS versions
A Vulnerability Assessment is what you would start with if you have never undertaken any security testing. It’s the first step on your security testing journey and can be used to identify the immediate risks to your business, allowing you to take action to remediate quickly.
However, Vulnerability Assessments are also an essential part of ongoing testing. Therefore, they should be conducted regularly – once a month or quarter, depending on your rate of change and risk appetite.
Running regular Vulnerability Assessments ensures that any changes such as a new server installation, a piece of software identified as out of date or a misconfiguration like a port being left open are caught as quickly as possible.
According to research from Sophos, a device connected to the internet was attacked within 52 seconds of going live. These attacks will start with essentially an automated malicious vulnerability scan, which are constantly run against internet IP addresses looking for known weaknesses in any infrastructure detected. Therefore, you must be running your own to ensure no gaps are available to be exploited.
So what is the difference between a Vulnerability Assessment and a Penetration Test?
A pen test goes further and deeper. An expert pen tester (sometimes known as ethical or white-hat hackers) will run the tests. The pen test will include a vulnerability assessment for an initial sweep of the infrastructure, but the key here is that the pen tester will use the output of the Vulnerability Assessment and combine it with their experience and skillset to penetrate further into your network.
They will perform research and reconnaissance, threat analysis and exploitation of the vulnerabilities identified to reveal the full extent of your information security and its weaknesses.
The report from a pen test will provide a detailed list of any threats or vulnerabilities found and the recommended remedial actions. Threats and vulnerabilities are ranked in order of criticality. The report will also contain an executive summary and an attack narrative which will explain the risks in business terms.
Given that a pen test is more in-depth and takes more time, they are usually run less frequently than a vulnerability assessment. Most organisations should do them annually unless there has been significant infrastructure change, such as a new VPN or remote access solution deployed, new apps deployed, or it’s required for compliance reasons.
The Vulnerability Assessment compliments the Pen Test, and running them frequently ensures that nothing is missed and that any attack surface is reduced and secured as quickly as possible.
Detect. Protect. Support.
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.