Let’s first separate the differences between a pen test/penetration test and a vulnerability assessment.
A pen test is exactly that – testing to see if the systems can be penetrated by an attacker. Remaining within the agreed scope, a pen test is done with a hacker’s mind set. Different tools and methods may be used, different services may be attacked and combination attacks may be leveraged in order to penetrate the target systems.
A vulnerability assessment on the other hand involves testing a systems or services for known vulnerabilities alone. It is often achieved partially or wholly through an automated software scan using a tool such as Nessus. A vulnerability scan will typically check for enabled software features or specific running versions of software that are known to be vulnerable. Vulnerability assessments can also be used as part of a larger pen test.
So a pen test is better right? Not necessarily – it depends on the aims of the test and the business requirements. Vulnerability assessments are often used as a pre-cursor to a pen test, but also where specific risks need to be assessed. They won’t however provide an accurate picture of security posture vs an external hacker. Hackers often won’t just run vulnerability assessment tools against a target but will attempt to leverage coding, policy and all manner of trust weaknesses in order to gain access to a target.
Here are two examples:
1. An office contains a heavily firewalled accounting machine running outdated and vulnerable Windows XP. As the machine is mostly isolated from the outside world and allows no inbound traffic, an external pen test would not necessarily bring up issue with this machine, in the same way that an external hacker would find it hard to gain access to said machine. An internal vulnerability assessment however may detect critical vulnerabilities that can be compromised. What is the risk to the business however if real external hackers could never compromise such vulnerabilities, and what are the upgrade costs? The company may well validly choose not to upgrade this critically vulnerable machine.
2. An office runs a fully patched and public server running up to date software containing no publicly known vulnerabilities. A vulnerability assessment confirms this. The server however runs a public web control panel with a weak administrative password that could be easily brute forced allowing an attacker to gain access. A pen test may involve attempting to brute force the web application at which point the tester will locate the weak credentials and gain access. This would be a critical weakness as an attacker could easily gain access to the web application’s administrative account with minimal effort, however the vulnerability assessment may not have located this. The risk to the business in this case is very high and the cost to resolve should be very low.
The purpose of pen testing is to identify risks to the business. Once those risks are identified, decisions can be made under the “cost vs benefit” premise. Pen testing doesn’t “secure” a company and no test will “guarantee” that a company will be secure. Hackers have varying amounts of time, dedication, funds and resources. A small bank may hire two armed security guards to protect the entrance and make use of bullet proof glass however if ten heavily armed criminals with explosives arrive, their security measures will likely fail. It is for the business to assess how much of a target they feel they are, and then justify appropriate security processes and expenditure.
In summary, pen testing and vulnerability assessments are not the same, however a vulnerability assessment is often a subset of a pen test.