Vulnerability assessment and penetration testing: what’s the difference?

If you’re concerned about cyber security for your organisation, you may have been hearing about vulnerability or penetration tests.

Your information security specialists, or a customer, may have advised that you need them. But working out what they are and what’s right for your business can be a challenge. 

Before you dive too deeply into the world of ethical hackers and CVEs, let us help explain the different types of testing and what they’re designed to look for.

What this article covers:

• What is a vulnerability assessment?
• How does a penetration test work?
• Which test does our business need?
• How to prevent data breaches and cyber-attacks

What is a vulnerability assessment?

A vulnerability assessment sometimes called a vulnerability scan or VA is an overall scan of your IT system. 

It checks against known common vulnerabilities and exposures (or CVEs), looking for weaknesses in your system that could leave you open to cyber attacks or data breaches.

As well as checking for software bugs or vulnerabilities, it is also important to scan for weaknesses in your processes. 

Human error is the biggest cause of serious privacy breaches in New Zealand. This means issues such as default or easy-to-guess passwords, alerts that no-one is monitoring, or users with inappropriate levels of access can also leave you exposed.

Vulnerability scanning generally uses software tools, sometimes along with hands-on testing. Scans can be run periodically, and some scanning can be automated. 

Think of it like an overall health check for your IT system – like a routine physical. You would want to run this kind of scan as a preventative measure so you can find potential weaknesses and manage them.

A key part of a good vulnerability assessment is the analysis. 

Even smaller businesses often have complex IT networks now, with multiple mobile devices accessing the network remotely, cloud-based applications and customer or service provider access points. 

Which means no IT system is ever completely secure, but a good testing protocol will help you understand your risks and decide how to manage them. 

Going through the vulnerability report, security advisers like NSP can help you consider which issues are business critical, and then develop a remediation plan and priorities.

Some risks might simply involve updating software or passwords. You might need to change processes, or review who needs access to parts of your system. Some risks you might just need to monitor and be alert for any issues.

Some issues might need further investigation, which is where a penetration test (or pen test) might come in.

Read: 10 Warning Signs of an Imminent Attack

How does a penetration test work?

A penetration test is a manual test. It involves an ‘ethical hacker’ simulating an attack on your IT system. 

It’s a point-in-time deep dive to help you understand what’s really going on and how well it’s all working.

This test, also known as a pen test, might take different forms depending on your business, the kinds of information you hold, and potential vulnerabilities you have identified. 

One way of testing your security might be to simulate hacking to compromise or control your operations, or to access critical business information or customer data. 

Penetration tests can also involve social engineering to test the strength of your processes and training. How vulnerable are you to vishing (phone scams) or phishing (email scams), for example?

You might also choose to run an internal penetration test to see what damage a malicious employee could do.

If you think of a vulnerability assessment as a general health check-up, a penetration test is more like an exploratory procedure. 

You’d normally run a penetration test after you’ve completed your overall vulnerability scan. It can be a good way to test whether your fixes have worked. 

It also helps you to be really clear about what would happen if someone managed to access your data, what damage they could do, and how quickly you’d be able to respond.

Which test does our business need?

In most cases, you would do a broader vulnerability test first to get the overall picture of your system, and then consider whether doing a deeper dive with a penetration test could add value to your strategy. 

Getting the right mix of testing would depend on several factors, as well as what your initial scans show. Think about:

• the nature of your business
• your compliance requirements, including requirements under the PCI DSS (Payment Care Industry Cybersecurity Compliance Standard) 
• what sorts of private or sensitive information you store – about your business, your staff, your customers
• who has access to your systems and how many points of access are there – via staff remote access, customer portals, eCommerce platforms, suppliers
• whether you have access to your client’s systems, in which case you may be a point of vulnerability for them.

Even if you think your business is too small, or your systems too simple to need this level of testing, you might find your clients may require it – especially if they are giving you access to their systems. 

Read: Cyber Security Risks to NZ Businesses & How To Avoid Them

Prevention is better than cure

Thinking about your business in this way can help put the cost of testing in context. Compared with the potential costs of managing and remediating a cyber attack, it’s much easier to see the value of preparation and prevention. 

That said, getting the best value from testing is all about the strategy. 

It’s essential to select the right tools and design tests around your business operations, network structure, and resourcing. To minimise disruption and maximise benefits.

Cyber security services from NSP can help test your system to prepare for and defend against data breaches and cyber-attacks, providing protection for your business and your customers.

Get in touch to see if either approach is right for your business.

FREE 1-HOUR SECURITY CONSULTATION