A vulnerability assessment is a practice used to identify all potential vulnerabilities that could be exploited in an environment. The assessment can be used to evaluate physical security, personnel (testing through social engineering and such), or system and network security. Most commercial organizations just want their systems and networks assessed. This means an individual or team runs a scanning tool (Internet System Scanner, Heat, Nessus, etc.). These tools identify running services that typically have vulnerabilities that can be exploited, operating system and application identified vulnerabilities, missing patches and hotfixes. The result, depending upon the product, is a long list of every computer system by IP address and their associated vulnerabilities and steps on how to "fix" the vulnerabilities.
However, just because something is identified as a vulnerability, does not necessarily mean that it is a problem a company has to worry about. There may not be a threat agent that can exploit the vulnerability or, if the vulnerability is exploited, it may not cause damage. Today, many scanner products have configurations where they can attempt to exploit identified vulnerabilities themselves to indicate if the vulnerability is truly exploitable and a threat.
While a vulnerability assessment's goal is to identify all vulnerabilities in an environment, a penetration test has the goal of "breaking into the network." So, the team only needs to exploit one or two vulnerabilities to actually penetrate the environment. From here, the goal is to gain administrator or root access on the most critical system in the network, which means that the team "owns" the network and can do anything they would like with the systems and the data on the systems. A penetration test is carried out to emulate what a real hacker would do and it proves to the company that the organization can indeed be penetrated.
Penetration testing is also referred to as ethical hacking, and while it is intriguing and interesting, it is also time consuming. In most cases, the security professional can look at reports from a vulnerability scanner and understand the level of risk the company is facing. But when it is time to brief management on these findings, ports, services and packets mean nothing to them. So, if the team carries out a penetration test and shows that the CEO's password has been obtained to the blueprints of the product that is to be released next year, this makes management understand the true severity of the situation and will be more motivated to improve the security of the environment.
A security audit is basically someone going around with a criteria checklist of things that should be done or in place to ensure that the company is in compliance with its security policy, regulations and legal responsibilities. There are different types of audits that can be carried out, which simply means that there are different criteria to use when evaluating a company's security processes. The auditor may ensure that proper change control is in place, employees go through awareness training that critical systems have the correct configurations, that contingency plans are in place and that data is being properly backed up.
So, by performing a vulnerability assessment you answer "where are all of our holes?" A penetration test answers "can any of these holes be exploited by hackers?" and a security checklist answers "is this company carrying out proper security practices?"
This was first published in August 2005