A Vulnerability Assessment is NOT a Penetration test. Don’t be misled, it could be a costly mistake.

Before starting my first security company in Japan in 1999, a security administration tool called Satan was released. This appears to be the first assessment tool made available to scan networks and identify possible vulnerabilities. Shortly after, the Common Vulnerabilities and Exposures (CVE) data base was made available. Together these platforms paved the way for other competing products like Nessus, Qualys, and dozens of others.

What made these products popular? They made it easy to assess networks and identify potential vulnerabilities in a short period of time. They are mostly automated tools that query the network and compare information it discovers with that of which is available in the CVE Common Vulnerability Database or OSVBD Open-Source Vulnerability Database, resulting in a report on findings and risk rankings.

While this may seem like a dream for security professionals, it can also be a nightmare. While the report may highlight some critical vulnerabilities, none of them have been manually verified. Some vulnerabilities may appear that are not really vulnerabilities and are what we term as a false positive. In other words, a vulnerability that looks like a vulnerability but is not. Now imagine that you have assessed a large network using a vulnerability scanner. The product could produce dozens, if not hundreds of false positives that require verification. The result? Your network administrator will be trying to put out fires that don’t exist for days or even weeks.

The other danger is that many companies that purchase these products think they are the same as penetration tests and that they are secure once the identified vulnerabilities have been fixed. Worse yet, many ‘so called’ security companies are selling vulnerability assessments and calling them penetration tests, knowing they are two different products.

Penetration testing elevates your security game. It’s often called white hat hacking, or ethical hacking and involves a very skilled certified security personnel, or team who’s job it is to try and infiltrate a network using a combination of knowledge, skills, tools, and experience to achieve their goals.

Throughout a penetration testing engagement, the tester is carefully documenting each process or method they use to gain access to the network. They are identifying all the documented and undocumented exploits found in a particular software or hardware application. If authorized, they will exploit potential findings, to verify them to see how far they can be leveraged to gain deeper access into the network. They identify configuration issues and determine whether a security monitoring service such as an EDR, XDR or MDR is actually protecting the network or not… They then write a comprehensive report detailing how the issues where found, what the security impact on the corporation is, and most importantly, how to remediate the issues in a clear and concise manner.

A vulnerability assessment simply cannot do what a penetration tester can. They may be convenient, but when it comes to security, convenience doesn’t count and when security is sacrificed for convenience’s sake, disasters occur. There are many security products that companies spend crazy amounts of money on, yet they rarely test them to see if they are working as advertised.

Penetration testing will tell you if you’ve got what you paid for. Once conducted and the issues discovered are remediated, your network will be as hardened as it can be leaving you with the task of ensuring your systems are continuously maintained.

If you want help ensuring that your network is as hardened as it can be, give us a call or email and we will walk you through the process of determining what is involved, how long it will take, how much it will cost, all in a free to you, consultation.