An often overlooked, but very important process in the development of any Internet-facing service is testing it for vulnerabilities, knowing if those vulnerabilities are actually exploitable in your particular environment and, lastly, knowing what the risks of those vulnerabilities are to your company.
It is also important to know the difference between vulnerability assessments and penetration testing. Knowing the difference is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.
Penetration Testing vs Vulnerability Testing
YOU NEED BOTH FOR A COMPREHENSIVE PENETRATION TEST
Penetration Testing: Penetration tests usually involves extensive manual effort. The primary objective of a penetration test is to evaluate the Client’s external infrastructure, internal network, virtualization network, wireless network, social engineering Vishing (Voice Phishing) and Phishing (RansomWare testing) and provide the client with valuable insight into the overall information security posture in place during that period. A good, manual penetration test with skilled practitioners can reveal the less obvious holes in a control environment, the sort that result in major compromises in the real world and produce a highly informative report with findings and recommended changes to enhance your security posture.
Penetration testing replicates the actions of an external and/or internal cyber attacker's that is intended to break the information security and hack the valuable data or disrupt the normal functioning of the organization. So, with the help of advanced tools and techniques, a penetration tester (also known as a ethical hacker) makes an effort to control critical systems and acquire access to sensitive data.
Vulnerability Assessment: Vulnerability assessments are most often confused with penetration tests and often used interchangeably, but they are worlds apart. Vulnerability assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas to scan an IP address or range of IP addresses for known vulnerabilities. The software then produces a report that lists out found vulnerabilities and (depending on the software and options selected) will give an indication of the severity of the vulnerability and basic remediation steps that may or not be accurate.
What a vulnerability scan cannot do is exploit those weaknesses to prove their severity or determine the extent the control environment’s potential for compromise. A vulnerability scan also cannot often identify when other controls in an environment might mitigate a vulnerability and render it useless as an exploit.
Do you know the difference?
Virtual IT Security