The world of IT Security can be daunting, for those new to it. The field is inherently technical and seemingly filled with endless jargon. For non-technical executives and managers, the prospect of tackling IT Security can be very intimidating. Where do you start? Should you hire consultants? What services should you hire them to perform? A question we consistently find ourselves answering: “What’s the difference between a vulnerability assessment and a penetration test?” If you are concerned about the security of your infrastructure and shopping for a security resource, it’s critical to understand the distinction between these two services.

A vulnerability assessment is the process of examining your organization’s people, process, and technology, for the purpose of identifying weaknesses. We use a mixed approach of interviews with key staff as well as the use of technical security tools to examine the network and connected devices. Typically, the engagement ends with a report showing vulnerabilities with recommendations on how to fix them.

Penetration testing refers to the attempt to identify – and crucially exploit – vulnerabilities in systems for the purpose of breaching a company’s defenses. A penetration test can be an extension of a vulnerability assessment. A penetration test can take a few different forms, white box, black box, or gray box. Generally, the color implies the amount of information the tester knows beforehand. A white box test may follow a vulnerability assessment. That is to say, the penetration tester will have detailed knowledge of the company, its network, and the system in question. A black box approach would involve very little information being given to the tester beforehand, beyond a scope and terms of engagement. As you might have guessed, gray box is a hybrid approach.

The engagement typically ends with a report, detail on how the particular systems were breached, and advice on how best to secure the network or applications against the exploited vulnerabilities.

In short, vulnerability assessments represent a wide focus, in that they are designed to assess an organization from end-to-end. Often they are considered a starting point for companies with a maturing security culture. Penetration testing is a narrow, targeted engagement, typically focusing on one system or one network segment and is often undertaken by organizations with a mature security posture, looking to harden key systems against advanced attacks.

Note: This post, authored by me, originally appeared in the blog of a former employer.

Published by N

Leave a comment