The Difference Between a Penetration Test and Vulnerability Assessment (1 of 2)

The staff here at SecureOps is consistently asked the purpose and the differences between vulnerability scans, vulnerability assessments and penetration tests – including all the variations of both such as red teaming, capture the flag exercises, bug bounty programs and more. Our goal in this blog post is to work from a high level and explain the general differences between identifying vulnerabilities to a more detailed level and ultimately walk through what the services are from an execution perspective and what benefits they offer an organization in terms of improving security.

Let’s start with answering the broad question first and dig deeper from the explanation that we use here at SecureOps. Vulnerability scans search systems for known vulnerabilities using a scanner like those manufactured by Nessus, GFI LANGuard, Rapid7, Retina, Qualys. A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in each system, then in the entire environment. The assessment should provide a prioritized list of patches and systems that need attention as well as when they need attention. Penetration testing is quite different; a quality pen test attempts to identify weaknesses that a threat actor could exploit including poor vulnerability management processes, unpatched software vulnerabilities, ineffective security settings on systems, gaps in the layer security solution and certainly much more.

Vulnerability Assessment vs Penetration Testing Snapshot Table

Vulnerability Assessment	Penetration Testing
This is the process of finding and measuring the vulnerability of a system Finds vulnerabilities and exploits them to break security controls and breach systems	Creates a list of vulnerabilities prioritized by its severity Helps in charting the path which will be taken by the attacker to take over the system(s)
Assessments start the process of identifying systems with security issues and their impact to the organization’s risk posture	Pen tests should be conducted after assessments and when the organization has an acceptable level of security practices and wants to identify additional vulnerabilities
Assessments uncover, define, identify and prioritize the vulnerabilities or security gaps in a system and organization in order to prioritize security issues.	Pen tests discover vulnerabilities with specific goals in mind. They want to know how a cybercriminal can exploit a vulnerability to breach a system or organization.

What is Vulnerability Management?

We discussed vulnerability scans and vulnerability assessments but before we move on, we figured we should explain vulnerability management briefly because it is the overriding program that contains vulnerability scans and assessment and we don’t want the term to add further confusion. The reality for many organizations is that running a vulnerability scanner that scans the majority of critical systems and produces a thousand-page report is considered fairly typical. The vulnerability scan report has allowed IT security teams to identify missing patches and insecure configurations, however these professionals were drowning and data and had no prioritized way to apply every patch in a timely manner.

For example, two years ago WannaCry and NotPetya created turmoil in even the largest corporations around the globe. Both attacks were fueled by the leaked exploit EternalBlue —a known vulnerability for which patches had been available for several months. Just after EternalBlue, Equifax suffered one of the most infamous breaches when attackers compromised a Struts vulnerability on a critical, public-facing web server—a vulnerability that had been identified several years earlier.

The real goal of any vulnerability management program should be to minimize risks to the organization introduced by vulnerabilities. Thus, vulnerability management is the process of addressing vulnerabilities, systems, data, and business goals by priority and handling the most critical patches or other issues by priority.

The first phase of the vulnerability management process is asset discovery. Organizations should know what machines or systems are deployed on their network, which has become increasingly difficult with IoT, BYOD, the digital transformation and the continuous collection of sensitive information. The next phase is the IT security teams response based on a risk-based approach to patching. The team should consider several factors including:

The type of data it contains – PII and other sensitive data – these systems should be prioritized
Where the system is on the network – is it exposed more than other systems to hackers?
What the system’s function is – is it a mail server, database, public-facing system, etc.
Whether or not the patch in question poses a threat

By considering the four variables above you can create a risk management program that will be cost-effective and aligned with the business goals. There’s an old adage in risk management: “When everything’s is a priority, nothing is a priority.” There were over 14,000 vulnerabilities or CVE’s distributed last year so obviously it is impossible to keep up in real-time with patching requirements for every system.