Vulnerability Management

Vulnerability Assessments vs. Penetration Tests (& the Goldilocks Option)

By January 15, 2018 No Comments

Today’s hackers are becoming more sophisticated, constantly coming up with new ways to infiltrate networks and gain access to sensitive data. With a vast number of attack methods at their disposal, these malicious actors can pick and choose among denial of service attacks, malware, phishing scams, ransomware and more. And attacks are becoming more targeted – going after specific individuals using email addresses similar to people the targets know, like a friend or boss. As the sophistication of cyber attacks grows, it is more challenging for malware and anti-virus detection systems to catch everything. This makes it more important than ever to conduct security assessments and to identify – and fix – any vulnerabilities before they’re discovered by a malicious actor.

But where do you start?

Determining which security assessment tool is right for your organization depends on your current security posture. We’ve outlined three assessment strategies – vulnerability assessments, penetration tests (pen tests) and security posture assessments – and explained how and when they should be used.

For example, if you’re confident in the maturity and strength of your organization’s cybersecurity and have remediated vulnerabilities found in a previous security posture assessment, then you’re likely ready for a penetration test. If not, it’s typically best to start with a vulnerability or security posture assessment to determine your organization’s weaknesses and how you can fix them. After addressing the greatest risks to your company, a penetration test can confirm whether or not you resolved them successfully.

Read on to see which test makes the most sense for your business today.

Vulnerability Assessment

A vulnerability assessment looks at a company’s networks and systems to identify any weaknesses in security. This assessment is a technical exercise designed to detect and measure the severity of vulnerabilities in a system. It typically involves the use of automated testing tools such as web and network security scanners.

This test is a good first step for companies that may not have strong security systems in place or aren’t aware of their current state of cybersecurity. It is better than starting with a pen test, which, for companies that don’t have strong security measures in place, would likely be compromised very quickly. Instead, this basic assessment identifies potential areas of concern and ranks them in order of priority, so you know what to address first.

Vulnerability assessments are most valuable when performed on a recurring basis so you can see trends and progress over time. That enables your organization to more quickly recognize and resolve problems.

Penetration Test

Many companies refer to vulnerability assessments and pen tests interchangeably, so it’s important to know which test is actually being performed. The pen test is a good assessment for companies looking to put their systems to the test and ensure they have adequate defenses in place.

Unlike a vulnerability assessment, a pen test doesn’t stop at simply uncovering holes in security – it actually exploits the vulnerabilities, mimicking what a cyber attacker might do when trying to gain access to critical systems within a company’s network.

Pen tests can go beyond a company’s network and systems to include social engineering attacks and physical security tests as well. When performing a pen test, we look at an organization’s technical environment from the outside – from a hacker’s perspective – as well as the inside, where malicious insiders may reside.

Security Posture Assessment

While both of the above options are useful tools for measuring network security in different ways, the team at Asylas decided a third option was needed. Our proprietary security posture assessment takes a more holistic approach to security governance, and it is what we recommend a company perform first.

Our security posture assessment (SPA) bridges the gap between the vulnerability and penetration tests while covering a wide range of security considerations. It’s much less time- and resource-intensive than a pen test and gives a quick, high-level,  comprehensive view of your state of cybersecurity.

This assessment aligns with the Center for Information Security’s (CIS) 20 Critical Security Controls, which are a set of specific and actionable ways to protect your organization and data from known cyber attack vectors. Additionally, the security posture assessment includes other factors beyond CIS’ recommendations, such as network environment, physical security, existing policies and procedures and the access controls a company has in place.

Our final SPA report includes a maturity rating in each area and outlines steps a company can take to align with industry best practices and improve its security controls. Once these steps have been taken and the organization is more mature in its security posture, it can undergo a pen test for further evaluation.

While vulnerability assessments and pen tests are valuable measurements of your security, the best place to start is with a security posture assessment. Call it the ‘Goldilocks option’ – not too little, not too much, but just right. It will help you know where your security measures are strong and what needs to change – without getting overwhelmed or requiring too much effort.

If you’re interested in learning more about these security risk assessment tools or want us to come test your network, send us an email at info@asylas.com.

Leave a Reply