An often overlooked, but a very important process in the development of any Internet-facing service is testing it for vulnerabilities, knowing if those vulnerabilities are actually exploitable in your particular environment and, knowing what the risks of those vulnerabilities are to your business. These three different processes are known as a vulnerability assessment, penetration test and a risk analysis. Knowing the difference is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.
Pentesting, Vulnerability scans and Risk analyses are three different ways to test your systems for vulnerabilities. Let’s examine these in depth, and see how they complement each other.
These scans, also known as vulnerability assessments, are typically automated and give a beginning look at what could possibly be exploited. It is the process of running automated tools against defined IP addresses or IP ranges to identify known vulnerabilities in the environment. Vulnerabilities typically include unpatched or misconfigured systems. The tools used to run vulnerability scans may be commercially available versions or free open-source tools.
The purpose of a vulnerability scan is to identify known vulnerabilities so they can be fixed, typically through the application of vendor-supplied patches. Vulnerability scans are critical to an organisations’ vulnerability management program. The scans are typically run at least quarterly, though many experts would recommend monthly scans.
It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.
In short, penetration tests provide a deep look into the data security of an organisation and lifts the vulnerability assessment to a different level. A good penetration tester takes the output of a vulnerability assessment as the first step – then they probe an open port and see what can be exploited.
The main difference is that the depth of the problem is discovered and found out exactly what type of information could be revealed. The system is actually being penetrated, just like a hacker would do. Penetration tests can be performed using automated tools, but senior testers will write their own exploits from scratch.
Penetration tests are categorized as white box or black box tests. White box tests are performed with full knowledge of the target company’s IT Department. Information is shared with the tester such as network diagrams, IP addresses and system configurations. The white box approach tests the security of the underlying technology. The black box test closely represents a hacker attempting to gain unauthorized access to a system. The IT Department is unaware a test is being performed and the tester is not provided detailed information about the target environment. The black box method of penetration testing evaluates both the underlying technology and the people and processes in place to identify and block a real-world attacks.
Similar to a vulnerability scan, the results are usually ranked by severity and exploitability with remediation steps provided.
A risk analysis is often confused with the previous two terms, but it is a very different tool. A risk analysis doesn’t require any scanning tools or applications – it’s a discipline that analyses a specific vulnerability (such as a line item from a penetration test) and attempts to ascertain the risk – including financial, reputational, business continuity, regulatory and others – to the company if the vulnerability were to be exploited.
Many factors are considered when performing a risk analysis: asset, vulnerability, threat and impact to the company. An example of this would be an analyst trying to find the risk to the company of a server that is vulnerable to Heartbleed.
The analyst would first look at the vulnerable server, where it is on the network infrastructure and the type of data it stores. A vulnerability scan does not make these distinctions. Next, the analyst examines threats that are likely to exploit the vulnerability, such as organized crime or insiders, and builds a profile of capabilities, motivations and objectives. Last, the impact to the company is ascertained – specifically, what bad thing would happen to the firm if an organized crime ring exploited the vulnerability and acquired valuable data?
A risk analysis, when completed, will have a final risk rating with mitigating controls that can further reduce the risk. Business managers can then take the risk statement and mitigating controls and decide whether or not to implement them.
The three different concepts explained here are not exclusive of each other, but rather complement each other. In many information security programs, vulnerability assessments are the first step – they are used to perform wide sweeps of a network to find missing patches or misconfigured software. From there, one can either perform a penetration test to see how exploitable the vulnerability is or a risk analysis to ascertain the cost/benefit of fixing the vulnerability. Of course, you don’t need either to perform a risk analysis. Risk can be determined anywhere a threat and an asset is present. It can be a data centre in a hurricane zone or confidential papers sitting in a wastebasket.
It’s important to know the difference – each is significant in its own way and have vastly different purposes and outcomes. Make sure any company you hire to perform these services also knows the difference.
Return to blog