Let’s start by establishing a fixed point: Vulnerability Assessments (VA) are not Penetration Tests (PT). If we oversimplify we could say that Penetration Tests can be considered partial Vulnerability Assessments, but also an in-depth analysis of this assertion is inaccurate and approximate. Of course, at the end of a PT you will find that on that server, on that segment of the network, or on that small piece of code there was vulnerability, but we are far from getting an exhaustive VA. In contrast, after a VA we have a nice formatted and colorful list of all possible vulnerabilities in our infrastructure, but we do not have a definite perception of how strong and impregnable our IT fortress is.
The purpose of this post is to clarify things and explain when you need to make a Vulnerability Assessment and when to make a Penetration Test.
Vulnerability Assessment is intended to identify weaknesses (infrastructure, systems engineering and application weaknesses) in our IT department; often used through automated tools (for example Nessus Vulnerability Scanner) that are able to find known vulnerabilities with unattended methods and without any operators intervention. At the end of a Vulnerability Assessment you will have a detailed list of vulnerable systems and networks with tips on countermeasures that can be taken to eliminate or at least mitigate the risk.
It is then up to the sensitivity of the security department, to the business needs, and also to the required economic effort to decide whether or not to take such countermeasures, use other ones or accept the risk.
Once you have taken all necessary countermeasures, or when you are sufficiently confident in the robustness of your own infrastructure, it is important to commission a Penetration Test. It is also very important it get it done by external third parties.
Penetration Test is intended to succeed in penetrating the security defenses, exploit some vulnerability and try to do as much damage as possible (figuratively speaking). And this is the difference: a hacker (not to be confused with a “cracker”) will use all his knowledge, all possible exploits and will create his own in order to enter the system. After a PT it often happens that you discover unknown vulnerabilities, which will then be analyzed and shared with the whole community in order to improve the level of security of all IT sectors.
Let’s try another example: after engineers have tested all the most cutting-edge alarms and intrusion detection systems in a new and very modern bank, some professional thieves are called, asking them to enter into the vault. The aim is clear: come in and take the money in the shortest time possible. The thieves will not waste time analyzing all walls of the bank inch by inch: they will shove into the first flaw that will find, and if they manage to get access, engineers have little to justify themselves…. Sometimes you just need a little note with four numbers or a distracted employee.
A Vulnerability Assessment certainly has an important role in the field of IT security: it surely provides an awareness of how big and how wide the gap is between your insecure and secure environment, and is an excellent starting point to begin to fix things. But it has two weaknesses: the first is that it relies almost exclusively on known vulnerabilities (for which it should be made at least every six months). The second is that it does not go that deep as to ensure that those vulnerabilities actually lead to potential damage. Only through a Penetration Test performed by a highly skilled team will you have the right perception of how our Fort Knox is impregnable.
Omnitech has been among the leaders for years in the industry for everything that concerns the Supply Chain Vulnerability Assessment and Penetration Testing: Omnitech provides highly specialized personnel to help your company from risk analysis to application of countermeasures up to the final assessment through its Ethical hackers.