We often get enquiries asking for a penetration test, but really the enquirer wants a vulnerability assessment (also referred to as a vulnerability scan). Conversely, many people ask for a vulnerability assessment when what they really need is a penetration test. If these are different services, why is there so much confusion?
Often, it’s a problem of miscommunication because many people use the two terms interchangeably, as they look similar from afar. However, up close it’s a very different story.
Essentially, the vulnerability assessment is an automated scan used to identify vulnerabilities while a penetration test aims to exploit those vulnerabilities to get a deeper understanding of the holes in your defences.
Let’s look at each option in more detail:
What is a vulnerability assessment?
A vulnerability assessment is a scan. It uses an automated tool to check your systems for known vulnerabilities. Imagine a burglar looking for and identifying a back entrance to your building, but not entering. The results of the scan will show how an application, website or other system is vulnerable, but it doesn’t provide details on what would happen if the vulnerability was exploited.
Many organisations undertake vulnerability assessments to tick a box, usually for compliance. However, there are limits to a vulnerability assessment because it can’t explain the impact, the ability to pivot on one vulnerability and use another to compromise a system. There is also the possibility of false/true positive/negatives, so it’s important to verify automated results with multiple tools or manual methods.
What is a penetration test?
Penetration testing is a method of identifying and testing vulnerabilities or gaps in IT security that could be exploited in external or internal infrastructure, leaving your business at greater risk. A penetration test usually begins with an automated vulnerability scan, but it goes into far more depth. In our burglar scenario, this time they are checking for a back entrance and then actually entering the building (don’t worry, they have permission!).
This testing format—what many people might consider ‘hacking’—is a systematic examination of a network or system undertaken by qualified, experienced security experts who have been given permission to exploit the vulnerabilities and misconfigurations they find to determine their potential impact. The consultant will work to a defined test methodology to enter the network through the identified gaps (hence the term, ‘penetration’), using their knowledge, Open Source information, and a range of tools. Once gaps have been identified and tested in your systems and networks, they provide expert advice for strengthening your defences.
A side-by-side comparison: vulnerability assessment vs. penetration testing
To more easily illustrate what is included in each service, we’ve put together this handy comparison of a vulnerability assessment and a generic penetration test (each test will depend upon the system being examined).
As you can see, a penetration test is significantly more in-depth than a vulnerability assessment. While a penetration test generally includes an initial automated vulnerability scan, it’s the manual exploitation of those vulnerabilities that requires a wide range of skills and time.
Which is right for your organisation?
Vulnerability assessment
Think of a vulnerability assessment as a one-size-fits-all high-level automated scan that picks up the most common vulnerabilities. It’s cheaper and quicker because it isn’t resource intensive and could be considered as a health check (like running a virus scan on a laptop, but across a whole network).
While a vulnerability assessment is often conducted as a mandatory exercise as part of complying with regulatory requirements, such as PCI DSS or ISO 27001, it is strongly recommended that vulnerability assessments are conducted regularly; on all new devices before deployment and again throughout the year (like a fire drill).
Penetration test
A penetration test is the difference between ‘ticking a box’ and being confident you have looked at your vulnerabilities from every angle. The testing is undertaken by humans who understand the nuances of how businesses work—unlike automated scanning software, they can ask questions when something doesn’t seem quite right (which is important for ongoing business operations).
Much like carrying out an annual service on your car, we recommend regular penetration testing for all businesses to ensure ongoing mitigation of risk; however, it is even more important if you’re introducing new technologies to the workplace, moving to the cloud, outsourcing IT, have experienced a breach in the past, or aren’t confident you know how mature your security is.
What are you testing?
Whichever you choose truly does depend on the asset being tested; if the asset is low value (i.e. compromise wouldn’t have a devasting effect on operations or reputation), then a vulnerability assessment is probably adequate. However, if the asset is high value (i.e. a breach or failure could cause operational disruption and revenue loss or reputational damage), then it becomes a prime target for threat actors who invest time into finding more ingenious ways to compromise and gain access.
The results
Both options will provide you with a detailed report explaining the findings, the criticality of the vulnerabilities, and present remediation advice. However, the vulnerability assessment report will not cover impact or exploit information, as this can only be gleaned by exploiting the vulnerabilities manually.
It’s important to remember that new vulnerabilities are discovered regularly, so whether you’ve decided that a vulnerability assessment or a penetration test is the best choice for your organisation’s needs, it should be repeated regularly.
Read more:How your IT department can get the most out of penetration testing
How can we help?
Penetration testing and vulnerability assessments are important parts of mitigating cyber risk. Our experienced Penetration Testers have worked across a range of industries, finding vulnerabilities that can easily be missed in web applications and IT infrastructure. Our team can also help you to ensure that your systems are configured securely.
Help your IT department secure your business and contact us to discuss how we can make the process easier.
Insights
Trust & Safety: A look ahead to 2025
Working within the Trust and Safety industry, 2024 has been PGI’s busiest year to date, both in our work with clients and our participation in key conversations, particularly around the future of regulation, the human-AI interface, and child safety.
Lies, damned lies, and AI - Digital Threat Digest
At their core, artificial systems are a series of relationships between intelligence, truth, and decision making.
A pointless digital jigsaw - Digital Threat Digest
Feeding the name of a new criminal to the online OSINT community is like waving a red rag to a bull. There’s an immediate scramble to be the first to find every piece of information out there on the target, and present it back in a nice network graph (bonus points if you’re using your own network graph product and the whole thing is a thinly veiled advert for why your Ghunt code wrap with its purple-backlit-round-edged-dynamic-element CSS is better than everyone else’s).