Vulnerability assessments and penetration tests are two essential points to understanding your company’s security posture; however, these two terms are mistakenly used interchangeably with one another.  Here I’d like to detail the difference and how they fit together.

A vulnerability assessment is valuable to a company to understand how large their potential threat surface is by identifying and quantifying security vulnerabilities. This is a comprehensive evaluation of your company’s security posture in a given scope, revealing weaknesses and detailing remediation steps to eliminate or mitigate these threats down to an acceptable risk level.

If your company does not feel confident in their security practices or does not have a vulnerability assessment program in place, this option provides the best value. Most commonly a company will outsource a vulnerability assessment to a security-assessment firm – like Rhino Security Labs – and once they have acted on the results they will schedule a penetration test to see how well these practices have been implemented.

A penetration test is a goal-oriented examination; meaning, while conducting a penetration test our goal is to gain access to sensitive data using the tools and techniques real attackers would use to exploit critical systems.  This is not an enumeration of every path an attacker could take in gaining access to your information but rather an assessment to see if they can.

Depending on the scope of the engagement, this can be expanded beyond network infiltration to social engineering and physical security tests. There are two different types of penetration tests one from a “white box” and another from a “black box” perspective. A white box assessment utilizes the results of vulnerability assessments and other pre-disclosed information in order to gain access to your systems, where as a black box assessment most accurately simulates the perspective of an attacker disclosing no prior information to our team.

We at Rhino Security recommend black box assessments more frequently than white, as this gives your company the most accurate picture of “can an attacker break into our network, and what sensitive information can they obtain?”

Each assessment has their own merits, and it’s up to your company to ultimately decide which program will provide the most value at this time. A vulnerability assessment is the fastest way for your company to answer the question of “what are the risks and how do we mitigate them?” It allows you to quickly improve your security posture and develop a more mature security program.   A penetration test, by contrast, serves to dive deeper and look for any holes in the security program established.

Technology moves at a break neck speed, often with the security implication left as an after thought. Vulnerability assessments and penetration tests are critical to any security program, and should be conducted periodically to ensure your company stands on firm ground in an ever-changing threat landscape.