There is a certain amount of confusion about the difference between Penetration Testing and Vulnerability Assessment. There is a very basic difference that can be explained by the definitions of these.
Vulnerability is a property of system security requirements, design, implementation, or operation that could be accidentally triggered or intentionally exploited and result in a security failure. The source of any failure is a latent vulnerability. If there is a failure, there must have been vulnerability. Vulnerability is the result of one or more weaknesses in requirements, design, implementation, or operation.
A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.
A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source by using hacking tools and exploit on those found or known vulnerabilities.
An exploit is a technique that takes advantage of a vulnerability to cause a failure. An attack is a specific application of an exploit. In other words, an attack is an action (or sequence of actions) that takes advantage of vulnerability. These exploits are both contained in the commercial tools or custom designed by our penetration testers.
The vulnerability assessment is the first step to a penetration test. The information obtained from the assessment will be used in the testing. Whereas, the assessment is checking for holes and potential vulnerabilities, the penetration testing actually attempts to exploit the findings.Performing a vulnerability assessment shows an overview, which can turn up false positives and false negatives.
Vulnerability assessments focus on finding as many potential security weaknesses as possible for a typically broadly defined target environment. Bitshield and our customers agree to a target list, set a timeframe, and work out escalation procedures in case of an issue.
Our vulnerability assessments use scans to look for flaws in network services as well as network-attached hardware, software, and operating system. Our vulnerability assessments target web applications, databases, wireless networks, or other specialized areas. A routine vulnerability assessment should be a standard element of every organization's security policy.
This vulnerability assessment’s purpose is to help answer the question: "How secure is your organization's information?"
The reason you need to finish the process and have a penetration test is that the VA will produce what are called “false positives” that is, things that look like a concern but might not really be vulnerabilities. A PT will exploit the suspected vulnerability and determine if it is a real threat. For example, a vulnerability scanner may identify Linux vulnerabilities on a Windows system.
This could be identified as a false positive. False negatives are also a risk; those are vulnerabilities that don't show up because the test case or signature doesn't make a match. With additional information about our customer's systems and a little help from the customer, we can sort out many of the false positives and
negatives. Vulnerability scans are essentially "look but don't touch," though, so assessors can't weed out 100% of the false signals. The PT will eliminate all false positives. So basically the difference between a Vulnerability Assessment and a Penetration Test is the fact that a Penetration Test will verify that the vulnerabilities are in fact exploitable by actually exploiting those vulnerabilities.
Warning!
Many companies/service providers will perform a VA and never run any exploits and try to pass it as a PT. If you have someone doing that, then they are trying to overcharge you.
The price between a VA and a PT can be significant. Why is that? It’s the level of responsibility that the penetration testers must take.
It's very important that your service provider know the difference and is able to explain the difference. If they can't do that then you should not use their services. If they have a high priced VA then you need them to justify the "value adds".
It is also very important that your service provider is using “Certified Ethical Hackers” or C|EH certified by an international organization like the EC Council. A C|EH is highly trained and follows a code of ethics. All Bitshield’s penetration testers are certified ethical hackers. We do not hire black hats.
A Vulnerability Assessment can vary in scale and complexity according to our clients needs but will generally include the following:
1. External scan with various open source and commercial tools to obtain general security posture of systems.
2. Internal scan with open source and commercial tools to assess the configuration of the systems and their patch levels, etc. There is some overlap between these first two steps.
3. Review system architecture and associated documentation.
4. Interview System Administrators and Engineers on system operation.
5. Review existing policy, procedures, SOPs, etc.
6. Perform and document the risk analysis.
A Penetration Test on the other hand can include any number of the VA items but includes a much wider array of testing tools.
A Penetration Test is usually a few hours to a few days as opposed to a VA which can take longer to perform.
A Penetration Test usually has a pre-set goal. The scope of the testing and its goal is determined by the results of the VA and can be limited or unlimited.
A Penetration Test really illustrates the relationship of vulnerabilities and how they can string together to open a hole in what appeared to be a solid wall.
The VA will tell you that there are vulnerabilities but the PT will show you how a hacker can use those vulnerabilities to compromise your network which often can be done by exploiting one vulnerability to get to another.
