What is the difference between a Penetration Test and Vulnerability Assessment?
A Penetration Test (Pen Test), otherwise known as "white-hat"
or "ethical" hacking is an attempt by a friendly party to
hack or break into a system or network of systems in an
attempt to test the security. Vulnerability Assessment (VA),
on the other hand, makes no attempt to break into a system,
but tries to determine how vulnerable it might be to an
attack.
Pen Tests generally include some element of VA (Vulnerability
Assessment) in a preliminary stage, but will then attempt to
exploit any vulnerability found to either break into the system
or to gain further knowledge to continue the Pen Test. The kind
of vulnerabilities exploited might be poorly configured services,
software bugs, backdoors discovered, etc. The ultimate aim of
a Penetration Test is to break into or disrupt services, or
determine that it is difficult to do so. Due to the aggressive
nature of Penetration Testing it is not generally performed
on live services or on a regular basis, but is done infrequently
and out of hours. It is also worth noting that failure of a
Penetration Test does not guarantee security, since not every
vulnerability can be exploited in every way.
Vulnerability Assessment is much less aggressive than
Penetration Testing, and is aimed at identifying as many
vulnerabilities in a system or network of systems as possible,
without actually exploiting any of them or changing the
services in any significant way. The aim is for a thorough
vulnerability assessment to identify areas of weakness in
security and to direct security professionals to the systems
and services most in need of additional security.
Due to the non-invasive nature of most Vulnerability Assessment
it is practical to perform on a regular basis and during
peak hours.
One issue with the complex technology involved
in IT security is lack of visibility, it is hard to see
if firewalls are correctly configured and if all systems
are fully hardened. Regular Vulnerability Assessment aims
to give this visibility, to both improve productivity of
security resources and to give confidence that security
measures are well configured.
What is different about
the PanSec Vulnerability Scanner in AUDITBOX?
PanSec has developed proprietary software to fully automate regular Vulnerability
Assessment for large numbers of IP addresses. This allows VA to be performed on
hundreds or even thousands of addresses on a daily or weekly basis, with minimal
overhead and including a full change analysis for each address, summarized to
allow large numbers of systems to be monitored without having to read endless
individual reports.
The software fully automates, on a set and forget basis, regular scheduling and
distribution of test profiles, which describe the Vulnerability Assessment to be
performed using XML and combining numerous individual test objects in an
intelligent and reactive manner. Depending on what is found, further tests will be run
to gather as much data as is possible, before analysing this data offline.
Consequently each system is checked only once, and each piece of data is read only
once, rather than working down a list of known vulnerabilities retesting services
repeatedly. This means that bandwidth used is minimal and various combinations of
intensive initial testing and thorough retesting profiles allows this to be reduced
further.
The data is analysed offline against a combination of
PanSec's own Exposure Database and SecurityFocus's Vulnerability
Database. Then a full change analysis is performed against
the selected baseline for each address, to identify if any
vulnerabilities, services or ports have appeared or disappeared.
Various types of reports are generated for engineers, managers
or exception reports, and then summary reports
are produced for groups of addresses by day and week, with
trending reports available weekly. At the end of each days
run a notification email is sent for each group of IP addresses,
depending on the level of vulnerability found and the amount
of change from selected baselines or previous tests. These
notifications can be tailored and individual baselines set
or reset by customers.
How can we benefit from a regular
Vulnerability Assessment?
The first time each system is tested the report is eagerly awaited to see if any
vulnerabilities exist or to confirm a system is as secure as can be. This report can be
used to harden a system or reconfigure a firewall if vulnerabilities are identified and
can be eliminated. Subsequent reports will confirm if these changes have been
effective. Once a system is sufficiently hardened and the report is acceptable, the
baseline can be set for that address and subsequent reports will indicate any
variation from that baseline.
If this procedure is repeated for each system with identified risk, and remedial work
performed and baselines established, then regular testing can continue with minimal
workload. After each days testing a notification email will arrive indicating if any
significant changes have been detected. If there are no changes then no work is
required, no reports need to be downloaded or analysed. However, if any significant
changes are detected then the email will direct the customers' attention to the days
summary report. Within this report the changes are summarized and the address or
addresses with changes are listed. By reference to the summary report and the
individual reports for only the addresses with changes, it can quickly be determined if
any action is required. Once remedial action is eliminated or performed baselines
can be quickly reset and the process repeated.
The above procedure, along with the low bandwidth and
non-invasive nature of AUDITBOX VA, allows
for large numbers of systems to be monitored on a regular
basis with minimal overhead in time and resources.
Why should we test regularly if we don't make
significant changes?
Even if very little changes the regular summary reports
indicating this give visibility and peace of mind. New vulnerabilities
are discovered frequently, or can be introduced when firewalls
or other systems are reconfigured or from infection via
a virus or worm or by internal staff opening up backdoors,
etc. How quickly you would want visibility of such occurrences
will determine how regularly you should perform Vulnerability
Assessment. If you can wait six months to find out then
an infrequent test will do but if you want to know within
24 hours or a week then you need to test daily or weekly.
PanSec's low bandwidth, non-invasive, fully automated "set and forget" testing,
combining intensive and thorough testing with vulnerability and change analysis,
event driven notification and a range of test and summary reports is designed to
make regular VA possible and affordable. It allows you to balance risk against cost by
choosing different frequencies for different systems and provides constant visibility
of your systems Vulnerabilities, or lack of them, at all levels of your organisation.
back to top 
