How to combine vulnerability assessment & penetration testing
As digitization expands, our IT environments keep on growing and are becoming more and more complex. At the same time exposure for different types of vulnerabilities increases. In order to detect and fix these before they are used by an attacker, regular checks and tests are required. Two methods that serve important functions in a variety of ways to protect your systems are vulnerability assessment and penetration testing.
Vulnerability assessment, or vulnerability scans, are automated and continuous scans that identifies and classifies vulnerabilities in servers, computers, networks, and applications. This is done by matching different systems against known vulnerabilities. The most common vulnerability that is found is outdated systems. In a small IT environment, it may seem quite easy to ensure that all systems are up to date, but in larger environments with hundreds, or maybe thousands of systems, it is a significantly bigger challenge. An advantage of a vulnerability assessment is that it is done entirely objectively and without any personal preferences.
It’s common to say that vulnerability assessment has two different scan levels:
- Unauthenticated scans
- Authenticated scans
In most cases, the implementation of these levels is done in two steps. First unauthorized scans and then authenticated. The reason for this methodology is that from a security point of view, it is of higher priority to solve vulnerabilities that can be exploited only through external access to a system.
Unauthenticated scans are scans done from the internet or through locally installed scanners. No login or agent is required for this method. These types of scans are important because they find vulnerabilities that a hacker would use to get into your system.
Scans of this kind should be done as often as possible since hundreds of new vulnerabilities appear every week. A common frequency is weekly scans. However, on demand scans should also be made when major changes are made in the system and before new systems are deployed.
Authenticated scans are performed by allowing the scanner to access the system as a privileged user. This allows the scanner to get more in-depth information and detect more threats from within, such as weak passwords, malicious software, installed applications and configuration issues. The method can simulate what damage a system user with specific privileges could cause.
A penetration test, or pentest, is performed by one or several persons with extensive knowledge of IT security. This type of person is often called a penetration tester. A penetration tester is usually hired as a consultant to provide a more objective assessment of the environment. The penetration tester usually uses a variety of tools to find and test systems for vulnerabilities. The penetration tester also has greater adaptability than the vulnerability assessment performed by a computer. Often, a first step in the penetration test process is a vulnerability assessment scanning.
Penetration tests are usually not performed as often as vulnerability assessments, but should be done annually, or more frequently. Just as for vulnerability assessment, when doing changes in your IT environment, such as releasing a sensitivity system, additional penetration testing efforts might be needed.
When hiring a penetration tester, it is important to ask for practical experience, especially experiences from similar environments and the ability to think and act from an attacker's perspective. It is also important that the person is very careful, accurate and has good communication skills, so that you get a full understanding of the results and needed actions.
A common problem with penetration tests is that the follow-up and that required actions are being down-prioritized by the organization, as soon as the penetration tester has finished the assignment. This is also why continuous and automated vulnerability assessments are important. They complement the penetration testing and ensure that vulnerabilities are being detected frequent and over time.
|Method ||Performed automatically and continuously. ||Performed by an IT security specialist, usually a consultant. |
|Frequency ||Weekly or daily depending on how sensitive the system is. Sometimes lighter scans are done more frequent and in-depth scans are done less frequent, like monthly. ||Once or twice a year and in connection to significant changes in your IT environment. |
|Reports ||Provides a comprehensive overview of which vulnerabilities that exists and how the overall development looks since the last report. Reports for both technicians and management. ||Provide you with detailed information about what information is being compromised and what security measures you need to take. |
|Focus ||Detects known vulnerabilities that might be exploited. ||Detects unknown vulnerabilities. |
|Target ||Detects vulnerabilities and helps you fix these before an attacker does. |
|Advantage ||Provides a lot of insight and overview of IT security with effort and to a low cost. ||A penetration tester, in comparison to an automated system, is able to draw conclusions and analyse systems in a methodically manner. |