The Difference Between Vulnerability Assessments and Penetration Testing
by admin
On this blog, we’ve spent a lot of energy discussing the importance of testing data backup plans and disaster recovery processes using various scenarios. Likewise, it’s important to also test your network security in order to ensure that your company will remain safe from hackers and other malicious individuals that may want to destroy or leak your corporate data.
This is particularly important today, since a larger portion of corporate data transmissions are taking place over the public Internet, and customers are now demanding direct access to your corporate systems through Internet-facing self-service portals.
One method of evaluating network security would be through the use of Vulnerability Assessments. During a vulnerability assessment, you will poke around the network in order to uncover potential security holes and vulnerabilities within your systems and services.
However, a vulnerability assessment is only a superficial analysis of what “might” be happening within your network. Not only will it bring up a lot of false positives, but it’s also likely to miss a number of well-hidden vulnerabilities.
In order to truly evaluate your network security, you’ll need to go deeper. And this is where Penetration Testing comes in.
A Penetration Test – often called Pen Testing – involves taking all of those potential vulnerabilities and actually performing real-world tests on them.
The goal of a pen test is to dig deep into the network and run actual proof-of-concept exploits on target systems. Pen tests are much riskier than vulnerability assessments, since you’re actually trying to do things that may ultimately damage your data or systems.
A full pen test can provide you with much more useful information than a simple vulnerability assessment ever could. For example, it’s extremely rare for critical servers to be connected directly to the Internet. Instead, an attacker would need to exploit a public-facing system which would act as a means of accessing other internal systems.
In fact, the only difference between hacking and pen-testing is the person performing the task. When the good guys do it, you have the advantage of control, trust and safety. But if you don’t perform these tests, then someone else will… and it’ll probably be an unauthorized criminal with bad intentions and strong motivations to hurt your company.
