In the modern age of constantly evolving technologies, cyber-defence and security is essential more than ever. The more numerous and elaborate attacks become, the harder it gets to keep your company data secure.
In fact, according to the 2018 Trustware Global Security report, all web applications are vulnerable to attacks, meaning that there was at least one weak point found in each of them. The frightening statistics indicate that it is vital to check your company’s security risk. And although everybody understands the importance of cyber-security, it may be difficult to decide what your next move should be and how best to protect your information and money from hackers.
That is when vulnerability testing comes into play, which is aimed to reveal the security flaws in your system. There are several approaches that can be used to check how protected your company environment is – vulnerability assessment, penetration testing, and risk analysis. Often times they are misunderstood and confused with one another. However, we will describe the specifics of and the differences between each of them below.
Also referred to as ethical hacking, penetration testing simulates actions of an external or internal cyber-attacker in order to reveal vulnerabilities. In general, ethical hackers have a specific goal of gaining unauthorized access to a certain target.
Penetration tests should be conducted by independent third-party specialists who are not familiar with your system and can provide an objective view of your network environment.
The result of a pen-test is a formal report that contains details of how the security was breached, how long the tester was able to remain undetected, what sensitive data was compromised and recommendations for improving the organisation’s security posture. In this way organisations know how to re-mediate vulnerabilities and improve the security to help protect against real attacks.
Most often penetration tests are provided for companies who already have the desired security state and want to ascertain it.
Quite often vulnerability assessment is used interchangeably with penetration testing, but the two terms have very different meanings. The former is the process of identifying security weaknesses and potential threats in an environment by using automated scanners. The software then produces a list of found vulnerabilities and provides appropriate basic remediation steps. VA is great for companies seeking to reduce the security flaws in their system.
The downside of this approach is that the scanners used with this method focus on the known vulnerabilities. It means that they have already been noticed by someone and reported to the public, so, without a doubt, hackers know about them too. Additionally, the new unknown vulnerabilities that are out there will not be found by the scanners.
However, this method is generally for clients who already understand that they have security issues and need to identify and prioritise them.
Unlike the methods described above, risk analysis does not require any special scanning tools or applications. It is aimed at analysing a specific vulnerability and ascertaining the cost of fixing it.
Risk analysts examine threats that can exploit the vulnerability in question and their impact on the company. The result of the risk analysis is a risk rating and mitigating controls that can be implemented in order to reduce the risk.
According to the Information Systems Audit and Control Association, a comprehensive security risk analysis should be conducted at least once every two years. This approach of security testing is great for companies who seek answers to what threats and vulnerabilities can cause financial harm to their business and how to deal with them.
Which method to choose?
All of the methods mentioned are powerful tools for monitoring and improving an organization’s network environment.
Depending on your needs you may lean toward a specific method of testing. If you want to check the list of weaknesses of your system, you should start with a vulnerability assessment. In case you are confident in your security posture, it is reasonable to perform a penetration test to make sure that you have strong defences. And in order to identify risks in your network and how severe they are, risk analysis is the right choice.
Although these testing methods have varied purposes and outcomes, it is a good idea to use a blended approach for overall coverage of your system.