Vulnerability assessments vs Penetration tests

The world of information security has numerous terms, products and services which, depending upon who you speak to, will fix all your problems. One area which always generates some confusion is the difference between a vulnerability assessment and a penetration test.

Depending upon who you speak to, the view will differ between what a vulnerability assessment is compared to a penetration test.  This post will try to put your mind at rest and explain the differences between the two.

Vulnerability assessments

A vulnerability assessment is a process which is designed to identify any potential threats on the device(s) which are being checked and identify the risks that they pose. This process typically involves the use of automated testing tools, such as network security scanners like Nessus and OpenVAS. Once the scan has been completed the results are usually presented in a vulnerability assessment report. This report will highly the findings and display the risk level.

Vulnerability assessments are usually performed to help highlight any weaknesses within the business, so that the IT department can remediate any weaknesses before they can be exploited by a malicious attacker.

The assessments can come in several flavours and the scope of the testing is agreed before any work is commenced.

Undergoing these types of scans is usually inexpensive and can help improve the security of the businesses IT systems.

Penetration tests

Penetration testing on the other hand usually involves performing a vulnerability assessment of the business, but then taking it further. By identifying vulnerabilities in a network, the penetration test will look at the findings and then attempt to exploit them to attack the system, thereby gaining a foothold within the business.

Depending upon the company that you choose (if you have a penetration test), this can be made up of several methods:

  • Fully automated testing
  • Automated and manual testing
  • Fully manual testing

Penetration tests can come in several flavours, the three main types of tests are:

  • Web application testing
  • Network (or internal) testing
  • Wireless testing

Penetration testing is a lot more expensive than a vulnerability assessment due to the shear amount of work that is undertaken compared to the vulnerability assessment.

I hope this this post explaining vulnerability assessments and penetration tests is informative, if you have any queries or concerns, don’t hesitate to look around https://terabyteit.co.uk or contact us for more information.

TeraByte offer penetration testing services, you can find out more at: https://terabyteit.co.uk/services/penetration-testing/

Menu