Contact Us

Comparison: Vulnerability Assessment vs Penetration Testing

Cyber Security, Pentest | January 1, 2017

With organisations’ increased reliance on infocomm technology in their pursuit for competitive advantage, keeping the IT infrastructure safe should be one of the top priorities in organisations. Leaving security vulnerabilities unresolved and open for hackers to exploit can lead to severe monetary and reputation loss.

Depending on the organisation’s intent – whether it is to find out the security vulnerabilities present in IT systems or to determine the security resiliency of the application, there are two approaches that organisations may adopt.

Vulnerability Assessment is a non-intrusive approach that serves to produce a prioritised list of security vulnerabilities. A combination of automated and manual scan may be performed on the organisation’s IT systems or network, to identify flaws that may be exploited during an attack. The systematic approach of identifying, quantifying, and ranking security vulnerabilities enables organisation to select critical vulnerabilities to resolve based on their available resources. Without such assessments, there is a risk that IT infrastructure are not sufficiently secured. It is recommended that organisations should perform a vulnerability assessment on their IT infrastructure on a quarterly basis, and as well as to assess their applications on a yearly basis.

Penetration Testing on the other hand, uses an intrusive approach to discover security weaknesses in the organisation’s IT infrastructure and applications. Penetration testers would attempt to exploit identified security weaknesses to gain privileged access into the IT infrastructure and applications. Such approach emulates a real attack, and would determine the robustness of the organisation’s IT infrastructure in protecting sensitive information.

The difference between vulnerability assessment and penetration testing is that the former helps to discover the security loopholes present in organisation’s systems but does not exploit the vulnerabilities. The latter is employed to demonstrate how damaging security vulnerabilities could be in a real cyber-attack. As these two approaches serve different purposes, they are often used in tandem to provide a comprehensive picture of the security deficiencies that exist within the IT infrastructure and applications, and the potential impact.

Vulnerability Assessment versus Penetration Testing

Vulnerability Assessment

Penetration Testing

Attributes

List-oriented

Goal-oriented

Types of Reports

Prioritised list of vulnerabilities categorised by criticality for remediation

Specific information of what data was compromised and vulnerabilities exploited

Purpose

Identify security vulnerabilities in system that may be exploited

Determine whether an application can withstand an intrusion attempt

How to Perform a Vulnerability Assessment
The table below highlights the key concepts of performing a vulnerability assessment. It involves a cyclical three-phase process, beginning from the conduct of assessment, identifying exposures, addressing exposures, and re-assessment to ensure that vulnerabilities identified had been rectified.

1

Assessment
The two main objectives of this phase are the planning and execution of the vulnerability assessment. Planning includes information gathering; defining activity scope, roles and responsibilities; and informing the relevant personnel of the process. Execution includes interviewing system administrators, reviewing IT security policies, and scanning of security vulnerabilities.

2

Identify Exposures
This phase include a variety of tasks that is performed to the specifications and needs of your organisation. Generally, it includes the review of results from the previous phase and identification of remedy actions for the vulnerabilities.

3

Address Exposures
An investigation needs to be carried out to determine if the vulnerable services are required. If the affected services are not essential, they should be disabled. Required services with security weakness must be patched or rectified, and the management needs to be informed of un-patched vulnerabilities and residual risks.


How to Perform a Penetration Test
The following table describes the brief process and methodology of carrying out a penetration test. It is important to notify and to seek approval from the organization’s management before performing a penetration test on the IT infrastructure.

1

Planning & Preparation
Before commencing the penetration test, there is a need to set clear objectives and scope. A penetration test plan with details on time, duration and potential impact to business operations needs to be defined and communicated to all stakeholders and affected staff. A formal and approved test plan also serves to absolve the penetration testers of legal liabilities, as most tests are likely to be against the law.

2

Information Gathering and Analysis
The next step is to determine the reachable systems in the IT infrastructure, which would form the list of investigation targets in the vulnerability assessment. This could be done through a network survey to determine domain names, server names, Internet service provider information, IP addresses of hosts and a network map. A useful tool to conduct network survey would be Nmap (http://www.nmap.org), which would provide a comprehensive network analysis of the IT infrastructure.

3

Vulnerability Detection
To begin with the penetration attempts, penetration testers need to have a collection of exploits and vulnerabilities. Automated tools such as Nessus may be used to detect the presence of vulnerabilities.

4

Penetration Attempt
After determining a collection of vulnerabilities that exist within the system, penetration testers would identify suitable targets to begin an intrusive attack to test the system’s defences. The time and effort to conduct the penetration tests on the system should be estimated. Comprehensive penetration testing would involve tests such as password cracking, network exploitation, social engineering and even physical security testing.

5

Reporting and Clean Up
Finally, a report summarising the penetration testing process, analysis and commentary of vulnerabilities identified would be submitted. Critical vulnerabilities identified should be addressed immediately to the overseeing management. The last step is to clean up the systems, to remove traces of data such as user accounts that was created during the penetration testing. This should be verified by organisation’s staff to ensure that it has been done successfully. The cleaning up of compromised hosts must also be done securely such that the organisation’s normal operations are not affected.

Interesting Reads