With organisations’ increased reliance on infocomm technology in their pursuit for competitive advantage, keeping the IT infrastructure safe should be one of the top priorities in organisations. Leaving security vulnerabilities unresolved and open for hackers to exploit can lead to severe monetary and reputation loss.
Depending on the organisation’s intent – whether it is to find out the security vulnerabilities present in IT systems or to determine the security resiliency of the application, there are two approaches that organisations may adopt.
Vulnerability Assessment is a non-intrusive approach that serves to produce a prioritised list of security vulnerabilities. A combination of automated and manual scan may be performed on the organisation’s IT systems or network, to identify flaws that may be exploited during an attack. The systematic approach of identifying, quantifying, and ranking security vulnerabilities enables organisation to select critical vulnerabilities to resolve based on their available resources. Without such assessments, there is a risk that IT infrastructure are not sufficiently secured. It is recommended that organisations should perform a vulnerability assessment on their IT infrastructure on a quarterly basis, and as well as to assess their applications on a yearly basis.
Penetration Testing on the other hand, uses an intrusive approach to discover security weaknesses in the organisation’s IT infrastructure and applications. Penetration testers would attempt to exploit identified security weaknesses to gain privileged access into the IT infrastructure and applications. Such approach emulates a real attack, and would determine the robustness of the organisation’s IT infrastructure in protecting sensitive information.
The difference between vulnerability assessment and penetration testing is that the former helps to discover the security loopholes present in organisation’s systems but does not exploit the vulnerabilities. The latter is employed to demonstrate how damaging security vulnerabilities could be in a real cyber-attack. As these two approaches serve different purposes, they are often used in tandem to provide a comprehensive picture of the security deficiencies that exist within the IT infrastructure and applications, and the potential impact.
Vulnerability Assessment versus Penetration Testing
Vulnerability Assessment |
Penetration Testing |
|
Attributes |
List-oriented |
Goal-oriented |
Types of Reports |
Prioritised list of vulnerabilities categorised by criticality for remediation |
Specific information of what data was compromised and vulnerabilities exploited |
Purpose |
Identify security vulnerabilities in system that may be exploited |
Determine whether an application can withstand an intrusion attempt |
How to Perform a Vulnerability Assessment
The table below highlights the key concepts of performing a vulnerability assessment. It involves a cyclical three-phase process, beginning from the conduct of assessment, identifying exposures, addressing exposures, and re-assessment to ensure that vulnerabilities identified had been rectified.
1 |
Assessment |
2 |
Identify Exposures |
3 |
Address Exposures |
How to Perform a Penetration Test
The following table describes the brief process and methodology of carrying out a penetration test. It is important to notify and to seek approval from the organization’s management before performing a penetration test on the IT infrastructure.
1 |
Planning & Preparation |
2 |
Information Gathering and Analysis |
3 |
Vulnerability Detection |
4 |
Penetration Attempt |
5 |
Reporting and Clean Up |
Interesting Reads
- Daniel Miessler’s VA vs. PT
http://www.danielmiessler.com/writing/vulnerability_assessment_penetration_test/ - OWASP Top 10 Security Risk
https://www.owasp.org/index.php/Top_10_2013-Top_10 - Vulnerability Assessment White Paper
https://www.sans.org/reading-room/whitepapers/threats/vulnerability-assessments-pro-active-steps-secure-organization-453 - Penetration Testing White Paper
https://www.sans.org/reading-room/whitepapers/auditing/conducting-penetration-test-organization-67