Vulnerability Assessments and Penetration Testing: Same Thing; Different Name?

by Dave Moorman

In the IT security world, service firms toss around terms such as Vulnerability Assessment and Penetration Testing as if everyone knows what they mean. This may leave you wondering, “What do these two processes do, and are they both important or do they cover the same ground, twice?”

Vulnerability Assessment (also called Vulnerability Analysis) is the process of identifying weak points on a network where a cyber-attacker could potentially gain access or otherwise do harm. Vulnerabilities can be anything from open ports (the “doors” that let data flow between devices on a network and the Internet) to open, rogue access points (unsecured, unauthorized Internet connection points). During a Vulnerability Assessment, specialized software scans and analyzes network traffic, connected devices and other elements of the network to identify flaws that increase vulnerability to attacks.

Penetration Testing, on the other hand, focuses on gaining unauthorized access to the system and its resources by simulating an actual attack on the network and/or its devices. Although Penetration Testing can reveal vulnerabilities, its goal is to determine what an attacker could do once he found the system’s flaws. Furthermore, Penetration Testing is often used as a way of validating whether or not implemented security improvements are working or holes can still be exploited.

The two processes work together in much the same way that a home security expert might examine your house for windows that are easy to open (Vulnerability Assessment) and then determine how difficult it would be to bypass your alarm system, open the windows and get inside to steal your jewelry (Penetration Testing).

In other words, Vulnerability Assessments tell you what within the network needs securing; Penetration Assessments confirm whether or not the network is actually secure. Both processes can play a role repeatedly throughout the lifecycle of an IT framework as new devices are added, network configurations change and other adjustments are made.

Most importantly, these two processes are part of an enduring IT security management effort designed to secure your system, its resources and its assets against intrusion, theft and exploitation. With companies from global conglomerate Sony to the smallest Mom and Pop shops falling victim to cyber-attacks, IT security is something no business owner should overlook. To learn more about security management and the role these two processes play, give us a call.