The Viewfinder

Penetration Testing and Vulnerability Assessments

Author: In-Jaul Tan
Senior Security Consultant [SEC], Cyber & Cloud Security Services
Long View



What is a Vulnerability Assessment?
Vulnerability scanning is the detection of known vulnerabilities within a corporation’s computer network. This can be as simple as using outdated or unpatched software, to an application that was configured insecurely. This is one of the first steps to secure your computer network.

What is Penetration Testing?
Penetration Testing (pentests) attempts to exploit vulnerabilities detected within your environment. It is a nuanced process that can give security administrators potential insight into what can be done once a bad actor has accessed your network. Pentests are a deep analysis of your environment and are often performed after a vulnerability assessment.

What’s the Difference Between Penetration Testing and Vulnerability Assessment?

Vulnerability Assessments Penetration Testing
What is it? A scan of your computer network to detect known vulnerabilities Simulated attempts to exploit known vulnerabilities within your network by bad actors for criminal activities
When is it performed? Quarterly and ad hoc Annually or for a specific purpose
Who performs this? Usually an automated scan Usually performed by “white hats” and security professionals
How long does it take? Often several hours Several days up to a few weeks
Scope? Simple surface scan of the environment Attempts to exploit vulnerabilities detected by a vulnerability assessment
Output? List of detected vulnerabilities Analysis of vulnerabilities and if/how they can be exploited
What’s next? Apply patches and fixes Prioritize vulnerabilities for remediation


Tips and Tricks for Successful Vulnerability Assessments and Penetration Testing

✔ Scope and test the assessment effectively. Break assessments and testing into manageable groups to help focus on where and how you can get the most value.

✔ Do not take the results of an assessment or testing personally. Assessments and tests are performed without bias or accusation. Vulnerabilities (new and old) and their exploitables are discovered all the time. Taking findings personally often leads to resistance when implementing the solution, leaving the network vulnerable for longer than necessary.

✔ System and network maintenance should be performed at regular, consistent intervals instead of in bursts. Urgent updates can always be done as required, but it is important that security updates are applied consistently at regular intervals to protect the network and minimize disruptions.

✔ Context matters. Just because there is a vulnerability detected, it may not be (easily) exploitable. It does not mean it shouldn’t be remediated, but the severity level may not reveal the whole story.

✔ As with all preventative measures, vulnerability scanning should be part of a regular automated process. Regular scanning can help in identifying unexpected deficiencies and processes.

✔ Vulnerabilities can take many forms and be from many sources including (but not limited to) those on-premise, in the cloud, at remote endpoints, from vendors and more.

✔ Always assume that bad actors will eventually get into the network (zero-trust). How your defenses are structured and the ways you protect your data need to be designed to make it as hard as possible for bad actors to get to their prize at the end of the tunnel.

✔ Incorporate vulnerability management (and secure coding) practices into all stages of your software development lifecycle instead of making it part of a separate stream.

✔ Where possible, do not rely on a single form of threat management. Layered defenses increase the protection of your most important asset, your data.

✔ Subscribe to threat intelligence newsletters. Knowing these vulnerabilities exist and familiarizing yourself with them is critical to ensure you don’t become a victim.


Subscribe to our newsletter for the latest updates.

No comments found.
Anonymous User

Leave a Reply

Your email address will not be published. Required fields are marked *