I spend a lot of time addressing clients’ security concerns, and more often than not I find they ask for services they don’t truly want or need. The most common instance is not knowing the difference between a vulnerability assessment and penetration testing. This article is to clarify the difference, so you can be sure you’re asking for what you really need when working with an expert.
A vulnerability assessment is designed to determine basic flaws in a system, network, or application. This is usually attained by testing a client’s IT infrastructure using a set of proprietary and publically available security scanning tools. These tools generate reports that give an idea of vulnerabilities or issues that need to be addressed. When my clients request a vulnerability assessment, they usually already know they have security issues. What they are interested in is an independent review to confirm those issues, as well as others, and are looking for help prioritizing a list of vulnerabilities so remediation can occur. At EarthLink we take vulnerability assessments one step further where we manually verify identified vulnerabilities, remove false positives, and only report on vulnerabilities that truly exist.
Sometimes this process is confused with a penetration test. Penetration testing is another way to uncover flaws in a system, network, or application, but it is much more manual and time-consuming. When performing penetration testing, a qualified security expert attempts to manually exploit vulnerabilities. The key word here is manually. No commercial tool can offset the work performed by and educated attacker exploiting vulnerable code/services to gain unauthorized access into a system.
So when is each appropriate? Let’s say while performing a vulnerability assessment, the security tools locate an open file share that anyone can read or write to. The easy fix provided by the vulnerability assessment is to lock down the file share and only allow authorized individuals access to read and write to it. Now let’s introduce Marvin, the penetration tester, to this equation. Marvin takes it further and is able read one of those files which so happens to contain a bunch of passwords. Now Marvin can use those passwords to gain additional unauthorized access on your network and is now able to find other items like trade secrets, social security numbers, and other personally identifiable information.
The underlying difference between a vulnerability assessment and a penetration test is with a vulnerability assessment you are testing to understand your risks, and with a penetration test you are testing deeper to verify you have no risks and can withstand an intrusion attempt from a very determined hacker. And EarthLink Professional Services offers both penetration testing and vulnerability assessment services, so contact your EarthLink representative today for additional info.