A square is a rectangle but a rectangle is not a square. That saying always confused me in school and reminds me of the confusion in the market place between vulnerability assessments and penetration tests. A penetration test is a vulnerability assessment but a vulnerability assessment is not a penetration test. As I speak to organizations that want to test the security of their technology infrastructure I ask “Do you want a vulnerability assessment or a penetration test?” I receive responses ranging from “aren’t they the same” to “I don’t know you tell me”. There are key differences between the two depending upon the purpose of the project. I would like to outline the purpose of the two projects and when you would select each.
A vulnerability assessment is the process of running automated tools against defined IP addresses or IP ranges to identify known vulnerabilities in the environment. Vulnerabilities typically include unpatched or mis-configured systems. The tools may be commercially available versions, such as Nessus or Saint or open source free tools such as OpenVAS. The commercial versions typically include a subscription to maintain up to date vulnerability signatures similar to anti-virus software subscriptions. The commercially available tools provide a straight forward method to performing vulnerability scanning. Organizations may also choose to use open source versions of vulnerability scanning tools. The advantage of open source tools is that you are using the tools of the trade commonly used by hackers. Most hackers are not going to pay $2,000 for a subscription to Nessus but will opt for the free version of tools. However, by using a commercially licensed vulnerability scanner the risk is low that malicious code is included in the tool. The purpose of a vulnerability scan is to identify known vulnerabilities so they can be remediated, typically through the application of vendor supplied patches. Vulnerability scans are key to organizations’ vulnerability management program. The scans are typically run at least quarterly. Vulnerabilities are remediated by the IT department until the next scan is run and the new list of vulnerabilities is identified that needs to be addressed.
A penetration test takes the vulnerability assessment to the next level. One of the initial phases performed by a penetration tester is to perform a vulnerability scan to learn the IP addresses, device type, operating systems and vulnerabilities present on the systems, however unlike the vulnerability scan, the penetration tester does not stop there. The next phase of a penetration test is exploitation which takes advantage of the vulnerabilities identified in the system to escalate privileges to gain control of the network or to steal sensitive data from the system. The exploitation phase also uses automated tools which the penetration tester can configure to execute automate exploits against the systems. However, one key differentiator between penetration testers is their ability to also perform manual exploits of the system. During a recent penetration test A-LIGN’s tester recognized characteristics in a web site’s source code that is vulnerable to a particular exploit. Although the vulnerability scanner did not identify the vulnerability we attempted the manual exploit which was successful allowing our client to remediate the issue in their system.
Penetration tests are categorized as white hat or black hat tests. White hat tests are performed with full knowledge of the target company’s IT Department. Information is shared with the tester such as network diagrams, IP addresses and system configurations. The white hat approach tests the security of the underlying technology. The black hat test closely represents a hacker attempting to gain unauthorized access to a system. The IT Department is not aware a test is being performed and the tester is not provided detailed information about the target environment. The black hat method of penetration testing evaluates both the underlying technology and the people and processes in place to identify and block a real world attacks.
Penetration tests should be performed by a skilled penetration tester that has experience with not only commercial and freeware tools but also with manual exploits to compromise systems. The penetration test is only as good as the knowledge of the tester. To select a firm to perform penetration testing services we recommend that you understand the approach used by the penetration tester, ask for a list of tools used during the test and the manual techniques used by the penetration tester.
Both the vulnerability assessment and penetration test should be performed against the internal and external servers and network devices. Testing the external interfaces simulates a hacker attempting to gain access from the Internet through publically available interfaces. The internal test simulates a rogue employee or unauthorized user who has access to the internal network attempting to escalate their privileges to gain access to internal systems or data.
Although each project has different goals both should be performed to improve the overall security of the information system by a skilled information security professional. The vulnerability assessment should be performed regularly to identify and remediate known vulnerabilities on an ongoing basis. The penetration test should be performed at least annually and after significant changes in the information systems environment to identify exploitable vulnerabilities in the environment that may give a hacker unauthorized access to the system.