When it comes to testing the strength a company’s digital defenses against Cyberattacks, two different approaches are typically used: Vulnerability Assessment and Penetration Testing. How does each type of test work, and what are their benefits and drawbacks? This article will get to the heart of that question.
Vulnerability Assessments: An “EKG of Digital Health”
If a company’s IT and Network Infrastructures represented a human body, the Vulnerability Assessment would be like an EKG used to diagnose risk exposure. This test is passive in the sense that it detects only those weaknesses that are highly visible and could be easily exploited by a Cyberattacker. A Vulnerability Assessment may be run for as briefly as a few minutes or as long as several hours. It runs automated scans across the major components that reside in both the IT and Network Infrastructures, including the servers and other workstations and wireless devices.
This kind of assessment primarily looks for known vulnerabilities that exist, with no human intervention involved. It serves as a tipping point of what other vulnerabilities might be lurking in the system. However, the vulnerabilities that have been discovered are not exploited to reveal the root cause, or to discover any other vulnerabilities that may lie underneath.
After the probe is completed, a report is usually generated for the client. The downside is that if the report includes any recommendations, they will not be specific to the client’s business; rather, they will be general in nature, based upon previous threat profiles. It is up to the client to decide how to remediate any issues revealed by the scan.
Penetration Testing: An “Angiogram of Digital Health”
As far as diagnosing the health of a company’s IT and Network Infrastructures, Penetration Testing is like an angiogram for detecting vulnerabilities, weaknesses and gaps. A huge deep dive is performed, with many kinds of tests being conducted. These tests don’t last for just a matter of hours; rather, they go on for extended periods of time. Penetration Testing can be used in both the internal and external environments of a business.
There is little automation involved when conducting a Penetration Test. It is primarily a manual process, which takes the work of many skilled, experienced professionals. These people are also known as “Ethical Hackers” because they approach the test with the mindset of a Cyberattacker and use every tactic in the book to break down your walls of defense. These individuals are not only looking for known vulnerabilities; they are also looking for unknown vulnerabilities, such as covert backdoors that may have been left behind during source code development. In other words, Penetration Testing involves heavy and active scanning.
Typically, at least two, and sometimes three, teams are involved in conducting Penetration tests. They are:
- The Red Team: These are the Ethical Hackers who are trying to break into your systems as previously described.
- The Blue Team: These are the Ethical Hackers who work internally with your IT Security Team, to see how well they react to and fend off the attacks that are being launched at them by the Red Team.
- The Purple Team: This team provides unbiased feedback to the both the Red and Blue Teams regarding their performance during the course of the exercise. This team may or may not be used, depending on the security requirements of the client.
While Penetration Testing is done on digital assets, it can also be used to unearth any gaps or weaknesses within the Physical Infrastructure of a business. For example, a team can be specifically assigned to see how easy it is replicate an ID badge and use that to fool the security guard at the main point of entry.
Penetration Testing can also be used to ascertain the level of vulnerability the employees have to a Social Engineering Attack. For example, a specialized team might make Robocalls to the Finance and Accounting departments to see if those employees can be tricked into making payments on fake invoices. Or the calls might involve reaching out to the administrative assistants of the C-Suite and luring them into wiring large sums of money to a phony offshore account.
When Penetration Testing and analysis is complete, the client is then given an exhaustive report of the findings as well as suggestions of actions that can be taken to remediate any problems found.
VAPT: The best of both worlds
It’s clear that both Vulnerability Assessment and Penetration Testing are useful tools for finding the chinks in a company’s digital armor. In a perfect world, an organization will employ both kinds of testing through Vulnerability Assessment and Penetration Testing (VAPT). By taking this combined approach, a company can start and maintain a proactive stance, which should help mitigate the risks of the company will be impacted by a Cyberattack.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He is also studying for his Certificate In Cybersecurity through the ISC2.