Vulnerability Assessment or Penetration Test, which do I need (and why)?

When I meet people and tell them what we do (I usually lead with ‘Offensive Security’, that seems to be a real conversation starter), the conversation almost always ends up going something like “What is a vulnerability assessment, what is a penetration test, do I need one and, if so, which one do I need?” so it seemed like a good topic to cover here.  In the interest of time, I’ll try to stick to a pretty high-level here but, if you have any questions or would like additional information, don’t hesitate to contact us.

Vulnerability Assessment :

A simple way to think of a vulnerability assessment is that it’s a checkup to see where an organization may be vulnerable to attack.  This could be an external attack (a web server, mail server, vulnerable firewall, etc.), an internal attack (a disgruntled employee stealing sensitive information or letting his or her children use the company laptop for Minecraft or Elf Bowling), a social engineering attack (phishing emails, vishing calls, etc.) and it can be against a vulnerability that you knew that you had (that web server that’s running out-of-date software) or one that you didn’t know that you had (that Windows XP machine back in the lab that everyone forgot about or the newly released 0 Day in your Cisco gear).  The purpose of a vulnerability assessment is to identify potential vulnerabilities in the organization and document them for the client.  That information can then be used by the client to confirm and mitigate the vulnerabilities identified, ideally before an attacker is able to find and exploit them.  Wikipedia defines a vulnerability assessment as the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system (Wikipedia).

Penetration Test :

A simple way to think of a penetration test is that it’s a simulated attack to test the security posture of an organization.  It’s generally scoped (clearly defined rules regarding what the tester can and cannot do, what days / times the attacker can conduct what portions of the test, etc.), so it’s not an apples-to-apples comparison to an actual attack but it’s intended to be close (sometimes, the client will intentionally exclude all of the things that they know to be vulnerable from the scope in order to pass the test, but the results are heavily skewed and of very little value).  It’s important to note that a vulnerability assessment is part of a properly conducted penetration test.  The vulnerability assessment will help identify what vulnerabilities may be available to exploit and / or what paths may be available to gain or elevate access to the target and a penetration test goes further (depending on scope) and attempts to exploit those vulnerabilities in order to gain access, ex-filtrate (steal) data, disrupt access, etc.  (to what end and how far are detailed in the scope).  Sometimes, this is simply to verify / validate the findings from a vulnerability assessment and sometimes it’s to test the blue team / defenders / current IT support (will they notice the attack and, if so, can they defend against it). Wikipedia defines a penetration test as an attack on a computer system that looks for security weaknesses, potentially gaining access to the computer’s features and data (Wikipedia).

Do I need one, which one and why ?

Do you need one?  Since this is how I pay the bills, I’m going to default to yes, but there are a couple of other reasons that are worth considering.  Is your company or organization in an industrial vertical that has regulatory requirements to regularly test (PCI-DSS, for example)?  Does your company have sensitive information that it’s responsible for safeguarding (trade secrets, etc.)?  Does your company have privileged access to someone elses sensitive information (that an attacker could leverage to get the same access)?  If any of these are yes (you’re required by regulation, you have sensitive information or you have access to someone elses sensitive information), regular testing would likely be a good idea.  Now, which do you need?  If you have never had an assessment (or penetration test) done or, if you had an assessment done that you failed and never addressed the vulnerabilities, a vulnerability assessment is likely going to be your best plan because it’s more likely than not that you would fail an actual penetration test.  Take the results of the vulnerability assessment, understand what failed, why and what the remediation should be, develop a plan to address the failures and act on that plan.  If you have already had a vulnerability assessment, addressed the vulnerabilities found, a penetration test is the next step.

Misc / Errata