warning breached symbol
Risk & Fraud

Penetration Testing or Vulnerability Assessment: What’s the Difference?

By: Gene Fredriksen, Security Strategy Consultant

Cybersecurity terms continually make their way into our vocabulary with words like IP address, Virtual Private Network (VPN) and the cloud – or more ominous terms like exploit and breach. These words have, unfortunately, permeated our society. Often it seems you can’t watch the news without hearing mention of a data breach, and many cardholders have had to replace their cards due to one.

Does your financial institution have a plan to prepare for, and address weaknesses in, infrastructure that can lead to such breaches? Conducting penetration tests and vulnerability assessments are a crucial part of any financial institution’s cybersecurity strategy. If you’re not sure what to ask your IT and Security teams, we have provided a quick primer on these two important cybersecurity measures below.

Penetration Testing vs. Vulnerability Assessment

Many people think penetration testing and vulnerability assessments are different terms for the same security activity. However, from a security and compliance standpoint, there is a significant difference. Vulnerability assessments aim to identify, analyze and prioritize potential vulnerabilities by performing a risk assessment process. On the other hand, penetration testing goes a step further, using real-world cybercriminal tactics, techniques and procedures to exploit and discover vulnerabilities in a system, network or application. When a penetration test identifies an issue, it is an actual issue that can be exploited.

Think of it as a visit to the doctor’s office. If you have your aching arm looked at, they may do an X-ray to rule out a broken bone. An X-ray is a simple, fast, standard test that clarifies significant problems like a broken bone. This quick test is what a vulnerability assessment does. It is an automated scan that rapidly looks for standard security issues. It returns reports of problems that need follow-up.

If the pain in your arm doesn’t get better, the doctor may ask for a CT scan or MRI of your arm. These are more detailed diagnostic tools that leverage the skills of doctors, specialists and technicians to identify the root cause of the pain. This “in-depth” analysis is similar in concept to running a penetration test.

Penetration testing, also known as “pen testing,” examines an organization’s cybersecurity controls. While many tests and tools are necessary to monitor and test security, it is critical to include penetration testing. The testing is used to validate that an attacker could exploit vulnerabilities in a network, system or web application.

A penetration test utilizing a skilled analyst can provide invaluable insight into where an organization is most vulnerable. A trained expert will analyze and test system vulnerabilities to see if a successful attack is possible.

Penetration testing takes place routinely and follows any large-scale infrastructure changes. Consistent testing can help discover vulnerabilities early and provide actionable remediation paths for internal changes affecting organizational security.

Benefits and Limitations

Regular penetration tests and vulnerability assessments are crucial parts of an effective security program and provide significant value to the organization. However, there are benefits and limitations to each.

With data breaches being a far too common and costly occurrence these days, the value of penetration testing is especially front and center. Manual testing of security issues leads to more accurate results and rules out issues flagged as problems that are really not (also known as false positives). However, penetration tests are a more prolonged effort, lasting up to three or four weeks, and come with a higher cost of engagement.

Vulnerability assessments are also an important part of an effective security program. Usually taking place in the form of an automatic scan, they can point out potential weak spots before a technician does a penetration test and proves that a vulnerability is exploitable. These assessments, which are generally affordable and quick to complete, provide a high-level look at possible vulnerabilities and are easily automated to run on a regular schedule. At the same time, they can produce false positives, do not confirm that a vulnerability is exploitable, and require manual checks of each vulnerability prior to repeat testing.

Which Test is Right for Your Financial Institution?

Both tests work together to encourage optimal network and application security. Vulnerability scans are excellent, providing weekly, monthly or quarterly insight into your network security. At the same time, penetration tests are a way to more deeply examine your network security. Although penetration testing is expensive, keep in mind that you are paying an experienced technician to explore every facet of your business the way a real-world attacker would, seeking to find a possibility of compromise.

As new vulnerabilities are discovered every day, a stagnant security strategy almost guarantees a future breach. Talk to your compliance team, auditors and regulators to discuss your penetration testing and vulnerability assessment strategy. Having a solid testing strategy, followed by an aggressive remediation plan, will provide long-term security benefits to your financial institution.

Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO and the principal cybersecurity consultant with PureIT CUSO. He has previously held the positions of CISO for PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.

Fredriksen served as the chair of the security and risk assessment steering committee for BITS, and also served on the R&D committee for the financial services sector steering committee of the Department of Homeland Security. He also served as an advisor on various cybersecurity steering committees for the administrations of George W. Bush, Bill Clinton and Donald Trump, assisting in the preparation of the president’s Cybersecurity Position Paper.