Vulnerability Assessments vs. Penetration Testing: What's the Difference?

by Brad Garland

vulnability assessment vs penetration testing

If you don't know much about the world of cybersecurity, some of the terms professionals use may seem a bit opaque. Many people don't know what vulnerability assessments or penetration tests are, and they may conflate them. A vulnerability assessment is a scan of your network that detects security vulnerabilities, while a penetration test attempts to use these vulnerabilities to discover how they operate in the real world.

Vulnerability Assessments

vulnerability assessment is a scan of your network's security that attempts to look for potential points of entry by hackers, malware, and other malicious elements. For businesses that work with sensitive data, such as financial institutions, most experts recommend performing a vulnerability assessment once a quarter, if not once a month.

While different companies take different tacks, most vulnerability assessments will contain both automated and manual components. For the automated part, experts will run some basic programs that attempt to find common security problems. The manual component of the test involves more creativity: a security expert will examine various aspects of a network's security for vulnerabilities, and may also examine existing code or security routines to try to dream up ways a hacker could get around them.

It's important to remember that during a vulnerability assessment, no one ever actually breaches your network or compromises its security in any way, and all sensitive data remains secure. A vulnerability assessment is more like a "what-if" exercise that attempts to determine what methods a hacker would most likely use if they were to attempt an attack.

You can use the information gleaned from a vulnerability assessment to figure out how to shore up your business' cyber security, including installing patches or new software to get rid of common exploits. But because no actual security breach takes place during a vulnerability assessment, it can be difficult for experts to determine the real danger posed to your business' confidential data. That task requires a real- world exercise called penetration testing.

Penetration Testing

Sometimes businesses, especially if they don't have resources to spare, may choose to do a vulnerability assessment without a penetration test. Or if the vulnerabilities found are glaring and require urgent action, the business may take urgent actions, with the help of the security firm, to shore up the security of their network. From there, they may perform a second round of vulnerability assessment or penetration testing. However, under normal circumstances, it's advisable to move on to penetration testing soon after doing a vulnerability assessment.

During a penetration test, a cyber security expert attempts to exploit the vulnerabilities they discovered earlier. The result is a real-world simulation of a hacking attack, which allows experts to see if a system's apparent vulnerabilities really are as dangerous as they appear, or if there are exploits the vulnerability assessment did not detect for some reason.

There are two common types of penetration testing: "white box" and "black box" tests. During a white box test, the information revealed during the vulnerability assessment is revealed to the cyber security expert, who then tries to use this information to breach the system. During a black box test, the expert receives little to no information about the system they're testing and goes in blind. If a vulnerability assessment isn't conducted before the penetration test, the test is by default a black box test. While black box tests may seem more realistic than white box ones, a clever hacker can use social engineering or other techniques to learn more about the networks they're trying to crack into.

Info Security Cheat Sheet

Penetration testing is why some security consultancies remind their clients that "hacking" is a morally gray thing. Obviously, many hackers are exploiting vulnerabilities for sinister financial or personal gain. But so-called "white-hat hackers" are penetration testing experts who use their knowledge to discover and figure out how to patch the vulnerabilities that "black-hat hackers" exploit for malicious ends.

It's important to note that during penetration testing, the network is no more vulnerable than it is normally. All normal security precautions are in place, and none are removed (unless they're somehow disabled by the white-hat hacker during the simulated attack, in which case they'll put them back into place again immediately afterward).

You will get a full assessment of the results of the tester's attacks once they're complete, along with an explanation of how serious they found the security vulnerabilities to be in the real world. Armed with that information, you'll be able to make intelligent decisions about your network's security, what vulnerabilities to prioritize fixing and how to go about it.

Many companies' networks have serious security risks. Hackers know how to exploit common vulnerabilities in systems, allowing them access to sensitive financial or other information. The risk to your business and its customers is very real, but by working with a team of cyber security experts like Garland Heart, you can take important steps to protect your data from malicious hackers.

If you're getting started with cyber security and don't know where your organization stands, our free quiz can help. When you take it, we'll give you important feedback about your data's safety. From there, you can make decisions about vulnerability assessments, penetration testing and other vital steps you can take to protect your business, its clients and their data.