Despite the common mistake of assuming these two exercises accomplish the same task, the answer to this question is no. A penetration test is very different from a vulnerability assessment. Yet, many executives attempting to build a formal information security strategy struggle to identify the differences between the two practices.

It is true that most information security frameworks, standards and regulations will encourage or even require that organizations conduct periodic penetration testing and vulnerability assessments but the two engagements have different objectives and provide their own unique benefit in the context of reducing overall risk.

The goal of completing a vulnerability assessment is to identify all Common Vulnerabilities and Exposures (CVE) that exist within an organization’s information technology environment. Common Vulnerabilities and Exposures (CVE) is a publicly available database of information security flaws that may be present in any given computer system, network or application. Examples include:

·        Unsecure system configurations, such as open ports or unnecessary services running.

·        Unpatched operating systems or applications.

·        Legacy systems that may be riddled with security flaws.

Vulnerability assessments are typically conducted by a qualified information security professional using a specialized scanning tool. The tool will scan all information technology assets in a given organization and detect the presence of any CVEs. Then a formal report can be generated that contains a detailed summary of the discovered CVEs and provide the organization with an opportunity to remediate or fix the issues at hand. So, simply put, a vulnerability assessment discovers CVEs and allows for them to be fixed prior to an adversarial threat actor exploiting the CVEs and resulting in a successful cyber security attack.

The goal of completing a penetration test is to simulate a real cybersecurity attack launched by an adversarial threat actor so that the effectiveness of information security controls can be tested. Most organizations build an information security control framework designed to protect the confidentiality, integrity and availability of critical systems and information. Examples of common information security controls include a firewall, anti-virus software, multi-factor authentication (MFA), and data encryption. These controls, and others, should be tested to ensure that they are performing as intended or advertised.

Penetration tests are typically conducted by a certified Ethical Hacker using a variety of tools, and human logic and reasoning. An ethical hacker will conduct reconnaissance and research to identify potential vulnerabilities or flaws. Then they will launch a series of cybersecurity attacks attempting to gain unauthorized access to systems and information. The results of their testing efforts will be presented in a formal findings document and the organization can learn how their controls failed and make requisite improvements. Unlike a vulnerability assessment, penetration testing does not result in the discovery of all CVEs. A penetration test may discover some CVEs and then attempt to exploit or take advantage of those particular CVEs.

In summary, a Vulnerability Assessment will discover all CVEs but will not attempt to exploit any of them. Its objective is to provide the organization with an opportunity to fix or remediate known security flaws.

A Penetration Test will discover some CVEs and attempt to exploit them all. Its objective is to simulate a real information security attack and test the overall effectiveness of the controls and safeguards currently implemented.  Looking for a Vulnerability Scan or Pen Testing in NYC?  Give us a call today.