How security audits, vulnerability assessments and penetration tests differ

BROWSE BY TAG Security Management,   Application and Platform Security,   Enterprise Vulnerability Management,   Security Testing and Ethical Hacking,   Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Management How to prepare for a FERPA audit Why doesn't the CISSP cover information assurance and DIACAP? Data breach notification legislation: What info must be released? Risk management strategy for an information technology solution provider Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations How to write technology outsourcing contracts The requirements for being a PCI DSS-compliant service provider The requirements needed to make an external penetration test legal Security Testing and Ethical Hacking H.D. Moore speaks about Metasploit Project deal, Release 3.3 Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Security testing firm uncovers XML vulnerabilities Screencast: Samurai offers pen-testing nirvana The requirements needed to make an external penetration test legal McAfee to acquire Solidcore Systems for whitelisting Enterprise Risk Management: Metrics and Assessments How to detect and respond to money laundering How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cyber Storm  (SearchSecurity.com) ethical hacker  (SearchSecurity.com) ethical worm  (SearchSecurity.com) gray hat  (SearchSecurity.com) honey pot  (SearchSecurity.com) honeynet  (SearchSecurity.com) war dialer  (SearchSecurity.com) white hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

A vulnerability assessment is a practice used to identify all potential vulnerabilities that could be exploited in an environment. The assessment can be used to evaluate physical security, personnel (testing through social engineering and such), or system and network security. Most commercial organizations just want their systems and networks assessed. This means an individual or team runs a scanning tool (Internet System Scanner, Heat, Nessus, etc.). These tools identify running services that typically have vulnerabilities that can be exploited, operating system and application identified vulnerabilities, missing patches and hotfixes. The result, depending upon the product, is a long list of every computer system by IP address and their associated vulnerabilities and steps on how to "fix" the vulnerabilities.

However, just because something is identified as a vulnerability, does not necessarily mean that it is a problem a company has to worry about. There may not be a threat agent that can exploit the vulnerability or, if the vulnerability is exploited, it may not cause damage. Today, many scanner products have configurations where they can attempt to exploit identified vulnerabilities themselves to indicate if the vulnerability is truly exploitable and a threat.

While a vulnerability assessment's goal is to identify all vulnerabilities in an environment, a penetration test has the goal of "breaking into the network." So, the team only needs to exploit one or two vulnerabilities to actually penetrate the environment. From here, the goal is to gain administrator or root access on the most critical system in the network, which means that the team "owns" the network and can do anything they would like with the systems and the data on the systems. A penetration test is carried out to emulate what a real hacker would do and it proves to the company that the organization can indeed be penetrated.

Penetration testing is also referred to as ethical hacking, and while it is intriguing and interesting, it is also time consuming. In most cases, the security professional can look at reports from a vulnerability scanner and understand the level of risk the company is facing. But when it is time to brief management on these findings, ports, services and packets mean nothing to them. So, if the team carries out a penetration test and shows that the CEO's password has been obtained to the blueprints of the product that is to be released next year, this makes management understand the true severity of the situation and will be more motivated to improve the security of the environment.

A security audit is basically someone going around with a criteria checklist of things that should be done or in place to ensure that the company is in compliance with its security policy, regulations and legal responsibilities. There are different types of audits that can be carried out, which simply means that there are different criteria to use when evaluating a company's security processes. The auditor may ensure that proper change control is in place, employees go through awareness training that critical systems have the correct configurations, that contingency plans are in place and that data is being properly backed up.

So, by performing a vulnerability assessment you answer "where are all of our holes?" A penetration test answers "can any of these holes be exploited by hackers?" and a security checklist answers "is this company carrying out proper security practices?"