There is a common misconception that vulnerability assessments and penetrations tests are the same thing or achieve the same result. In fairness, it is an easy mistake to make because both are testing how secure your systems are to unwanted intrusion. However, the similarity ends there because, although both these methods are important, they address different areas. Let’s start with defining the difference between them and then look at what that means practically.
What is a vulnerability assessment?
Actually, pretty much what the name suggests. A vulnerability test is a broad approach designed to look at your systems and identify where they are vulnerable through known weaknesses. Often this will result in a recommendation report that defines the vulnerability in terms of its priority of risks and what remedial action would be needed to rectify the problems. Vulnerability assessments are often the important first step towards a more secure system. In short, they seek out your vulnerabilities and tell you how to get rid of them.
A vulnerability assessment is usually the initial stage for a business that is aware enough to realise they may be running the risk of a problem (or sometimes have had a problem) and want to secure their IT systems.
What is a penetration test?
A penetration test has a far more specific approach than adopted in a vulnerability test. The penetration test is about specifically attacking the desired target and then ethically hacking the system being tested. So, a couple of examples, a penetration test may be targeted towards the human resources records of a business to try to access and modify sensitive data or maybe to look for ways to access a customer database to gain valuable data for a competitor. As with a vulnerability test, the purpose of the penetration test is to highlight weakness but this time in a very specific area.
The penetration test is probably more appropriate for businesses that need the services of an ethical hacker to simulate the actions that would be taken by criminals who want to access specific, highly valuable data.
A nice analogy for the different approaches is to imagine you threw a handful of gravel at a building to identify which windows could be smashed easily – that would be a vulnerability assessment. If you then returned after the same windows had been fitted with shutters and looked for ways to break a specific window – that would be a penetration test.
The two tests work the same way as the smashed window example, but with your data and system security.
One common misapprehension is that the penetration test is the superior exercise, and therefore it somehow contains the vulnerability assessment. This is really not the case. It is simply too focused and will only expose vulnerabilities in the area targeted.
To summarise then…
A vulnerability assessment finds as many flaws as possible in your systems and IT infrastructure so that a plan can be created to remove them. A penetration test probes a very specific area of a system that has already been ‘secured’ to find ways of confirming or denying that security.
Hopefully, that has explained the difference between vulnerability and penetration. Regardless of any other considerations, though, for reasons of compliance and security, you do need to ensure that your systems are safe.
Wherever you are on the journey to a fully secure system, we can help. Call us if you have questions or are concerned about your security, and we will be happy to advise on the best option.