When you take the time to test your IT security, you want to know you're getting the results you've paid for. And there are a lot of things you'll pay for — but at least you won't be alone: 37 percent of enterprise security managers expect to increase budget in the next 90 days, and Gartner tells us the world will spend $101 billion on information security in 2018.
If you're interested in preserving your business's integrity and image, helping your bottom line and keeping your services running, then penetration tests and vulnerability assessments will no doubt be among your expenditures.
But if you've ever hired a team for a vulnerability assessment in the past, you know it can be difficult to get verified, actionable results. Is a penetration test the right solution, instead?
Penetration Tests vs. Vulnerability Assessments: Exploring the Distinction
As you work toward helping your business achieve and maintain compliance and efficiency, you necessarily work under the premise that you desire security. To attain it, you'll need to first understand your compliance requirements then you'll want to perform a vulnerability assessment, according to Jennifer Allen, Twinstate's Red Team manager.
Why does that come first? According to Allen, a VA gives you insight. The right provider can give you validated results and a detailed, prioritized remediation plan. But if you want a stronger program, Allen recommends penetration testing, too; in fact, she notes the importance of working toward a popular goal: an annual PT plus quarterly VAs.
So, why isn't it either/or?
Despite the fact that there remains confusion about which solution is best, Allen says comparing the two is an apples to oranges situation. You really need both.
A vulnerability assessment is a scan that looks at vulnerabilities of individual endpoints, yet remains ignorant of overarching architecture. It looks for critical threats, but not at the impact of one device on other devices, and, importantly, not at the person sitting behind the computer.
A pentest, on the other hand, views the network as an organic, living thing. It takes a more holistic approach, considering all elements that might affect your security, including those that have nothing to do with what's typically referred to as "your network" — like the locks on your front door. Penetration tests, unlike vulnerability assessments, assess threats that can't be scanned.
Says Allen, "With a penetration test, you start to see what the attacker would see. How will I achieve my malicious goals of stealing Intellectual Property? Bringing down the network? Stopping that certain business process from happening for just a day? Or maybe the attacker just wants a secret recipe and they are attempting corporate espionage," she says. "Whatever the attacker's goals, a penetration test helps simulate them."
When it comes to getting real, actionable results, you can expect them from both vulnerability assessments and penetration tests. But they'll be different, of course, and therefore, the two types of assessments will have varying costs, with penetration tests costing significantly more due to their comprehensive nature.
Let's compare the results of these two services.
Running a vulnerability assessment can tell you that you need a patch on certain machines. If you follow your remediation plan--by running the patches and fixing the holes the scan identified--you can then move on to a penetration test. Remember that person sitting behind the computer? The vulnerability assessment doesn't. It may leave you feeling that Machine A's vulnerabilities represent a low priority threat. A penetration test, though, will look at the suggestibility of the employee running Machine A, and could tell you something very different.
But again, you should expect results from both. While a vulnerability assessment gives you a checklist, a penetration test "results" list will be quite a bit more complicated. What shouldn't a PT return? A simple checklist. That's the job of the vulnerability assessment.
As Allen puts it, "A vulnerability assessment creates a roadmap. It's like telling you to exercise twice a week and eat vegetables." A penetration test happens after you've followed that roadmap, and still want to know more about the specifics of your business's health. "It's the blood work. It's understanding all the components of an interconnected system and adding the components you can't measure with a VA — because a VA is a different view," she says.
Penetration Test Vs. Vulnerability Assessment: Choose Wisely
If your goals include protecting the integrity of your data, your business's image and your bottom line, you truly need both types of assessments; neither solution is better than the other. If you've never done a vulnerability assessment (or have, but didn't get actionable results that helped you put fixes in place), you're not ready for a penetration test, warns Allen. Start with the specifics and then go big. But your choice of provider will give you varying degrees of quality for both.
A good provider will tell you when you're ready — and won't leave you with VA-level results when you really want PT-level results. Sure, you'd like to know if your own computer needs a patch, but if that's the extent of the info you get from your penetration test provider, then the test wasn't comprehensive enough.
You'd also like to know if your front desk agent can be manipulated into giving out personal information over the phone. A well-crafted penetration test could tell you that.
Originally published on 04/19/2016