The Weidenhammer Blog

Vulnerability Assessment vs. Penetration Testing – “Yea, that’s what I want!”

Posted on: June 28th, 2016 | Category: Business Consulting, Network Security, Technology

As I continue to engage prospective clients regarding their security needs, there seems to be clear confusion in the industry regarding the difference between Vulnerability Assessments and Penetration Testing.

 

Vulnerability Assessment

Surprisingly, whether you are required to conduct security assessments due to regulatory requirements or if you are simply taking steps to establish or verify your current security controls, a Vulnerability Assessment is the answer.

By design, Vulnerability Assessments are a non-intrusive way to identify and quantify security vulnerabilities that exist in your environment. The assessment is an evaluation of your information security posture which should include indicating weaknesses as well as provide appropriate mitigation steps to either eliminate or reduce weaknesses to an acceptable level of risk. In most cases, a Vulnerability Assessment will follow these four steps:

  • Catalog Assets and Resources
  • Identify Critical Resources, Processes, and Policies
  • Highlight Security Vulnerabilities as they relate to the identified resources, processes, and policies.
  • Provide Actionable Steps to Mitigate and/or Eliminate the most serious vulnerabilities identified.

 

“Although Vulnerability Assessments and Penetration Testing are combined to provide clients with a broader picture of their security posture, they differ drastically.”

 

Penetration Test

In contrast to a Vulnerability Assessment, a Penetration Test is meant to exploit known and unknown vulnerabilities on a client’s network. Depending on the type and scope of a Penetration Test, they vary from non-intrusive to very intrusive – very intrusive tests require execution during off-hours to mitigate performance issues and/or outages. Engineers and Security experts essentially are paid to “hack” a client’s system. Many vendors price and position this service differently – speaking for Weidenhammer, our Team first determines the environment in which the test is to occur; we carefully discuss and review the rationale for the test to ensure we execute the right test for each situation; and finally we ask the client how far they wish us to take the test. In most cases, demonstrating that we were able to gain access is enough, and in others, clients ask our Team to go as far as they can – penetrate the network, exploit servers and other hardware/software in an effort to gauge how far the “rabbit hole” goes.

So what is right for you?

Well, it depends on your current security posture and confidence in your security program. In addition, regulatory and compliance requirements should play a factor in the decision. However, in most cases, a Vulnerability Assessment is the ideal first step. It helps organizations identify potential threats and provides a roadmap to assist them in closing those gaps within their infrastructure.

Always consult Certified Information Security Professionals when planning an assessment or penetration test. These providers can help you make the right choice for your individual needs.

Weidenhammer offers both Vulnerability Assessments and Penetration Testing – for more information on our Security Practice, please contact: Anthony Cartolaro, Senior Consultant, Weidenhammer Consulting Group.

Thought Leader – Knowledge Leader – Trusted Advisor – Weidenhammer is the Difference

Share
Anthony Cartolaro

Anthony Cartolaro

Anthony Cartolaro is a Senior Consultant with the Weidenhammer Consulting Group, a division of Weidenhammer Systems Corporation. He has over 20 years of Information Technology experience as a Project Manager and IT Consultant, not only in the business segment, but also specializing in the education market. He possesses extensive knowledge of project management, software testing, and systems integration and implementation. His expertise includes educational technology for the classroom, including software and hardware, project planning and control, federal and state grant and technology budgeting, educational IT directorship duties, technology planning, mobile device management, 1:1 and BYOD programs, and professional development. Anthony is a member of the International Society for Technology Education, the Greater Philadelphia Senior Executives Group, and other national and international organizations that promote technology in education and effective IT Governance. He also services as a member of the Craft Advisory Board for the Bucks County Technical High School and as a trusted advisor to many other Philadelphia region schools and non-profits. Anthony also has extensive knowledge of the E-rate program. His experience within the E-rate program began during the program’s inception and has included strategic technology planning and program assistance to schools and libraries, as well as delivering E-rate-eligible equipment and services to E-rate recipients.