Security Experts:

The Truth About Penetration Testing Vs. Vulnerability Assessments

Organizations Must Put Security Vulnerabilities Into the Context of Their Exploitability

Vulnerability assessments are often confused with penetration tests. In fact, the two terms are often used interchangeably, but they are worlds apart. To strengthen an organization’s cyber risk posture, it is essential to not only test for vulnerabilities, but also assess whether vulnerabilities are actually exploitable and what risks they represent. To increase an organization’s resilience against cyber-attacks, it is essential to understand the inter-relationships between vulnerability assessment, penetration test, and a cyber risk analysis.

Vulnerability assessments have become one of the dominant security practices in today’s dynamic threat landscape. Leveraging vulnerability scanners, be it for network, applications, or databases, has become standard for many large end user organizations. Even smaller enterprises are leveraging managed security services to scan their environments. The objective of vulnerability assessments is to identify and quantify security vulnerabilities in an environment. Off-the-shelf software scanners are designed to evaluate an organizations’ security posture, identify known security gaps, and recommend appropriate mitigation actions to either eliminate or at least reduce weaknesses to an acceptable level of risk.

The vulnerability assessment process typically indexes all of an organization’s assets, classifies them based on business value and potential impact, and then identifies known vulnerabilities associated with each of them. The final step involves mitigating the most critical vulnerabilities that affect assets with the highest potential business impact. The more issues identified the better.

However, focusing on existing vulnerabilities, provided by vulnerability scanners, is only the first step in a “true” vulnerability management process. Without putting vulnerabilities into the context of their exploitability, organizations often misalign their remediation resources. To better prioritize remediation actions, it’s best to determine whether the specific vulnerability is actually exploitable or not. Skipping this step is not only a waste of money, but more importantly creates a longer window of opportunity for hackers to exploit high risk vulnerabilities. Ultimately, the goal is to shorten the window attackers have to exploit a software flaw.

It’s important to remember that vulnerability scanners base their findings on a list of known vulnerabilities, meaning they’re already known to security professionals, cyber-attackers, and the vendor community. Unfortunately, there are many vulnerabilities that are unknown and therefore are not detected by scanners.

In addition to contextualizing the organization’s internal security intelligence with external threat data, more and more organizations are conducting penetration tests to determine the exploitability of vulnerabilities. A penetration test is conducted by ethical hackers in an attempt to simulate the actions of a malicious external and / or internal cyber-attacker. The objective is to expose security gaps and subsequently investigate the risks they pose and determine what type of information could be extracted if the weakness were exploited. Penetration test results are typically reported on severity, exploitability, and associated remediation actions. Ethical hackers often use automated tools such as Metasploit, and some even write their own exploits.

In order to put the pieces of this puzzle together, organizations need to conduct a comprehensive risk analysis that takes into account all the contributing factors including asset criticality, vulnerabilities, external threats, reachability, exploitability, and business impact.

Ultimately, vulnerability assessment, penetration testing, and cyber risk analysis must work hand-in-hand to reduce cyber security risk.

view counter
Torsten George is strategic advisory board member at vulnerability risk management software vendor, NopSec. Torsten has more than 20 years of global information security experience. He is a frequent speaker on cyber security and risk management strategies worldwide and regularly provides commentary and byline articles for media outlets, covering topics such as data breaches, incident response best practices, and cyber security strategies. Torsten has held executive level positions with RiskSense, RiskVision (formerly Agiliance), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell). He holds a Doctorate in Economics and a Diplom-Kaufmann degree.