Pen-Tests versus Vulnerabilities Assessment

Testing 1, 2, 3....

Pen-Tests versus Vulnerability Assessment

The two terms are related but penetration testing has more of an emphasis on gaining as much access as possible while vulnerability testing places the emphasis on identifying areas that are vulnerable to an outside or internal attack. Automated vulnerability scanners often identify possible vulnerabilities based on service banners, network responses or other system stimuli that are not always in fact what they seem.  A vulnerability assessor will stop just before compromising a system, whereas a penetration tester will discover as much as possible and go as far as they can within the scope of the contract and “rules of engagement” dictated by the client.


Vulnerabilities Identification

Vulnerabilities need to be identified by both the penetration tester and deployed vulnerability scanners. The steps and attack vectors are similar for the security tester and threat or bad actor. The attacker may choose to proceed slowly to avoid detection; however, as a training mechanism, the penetration testers will also mimic this behavior so that the target company can learn where their detection thresholds are and make necessary improvements.


The first step in either a penetration test or a vulnerability scan is reconnaissance. This is where the tester attempts to learn as much as possible about the target network and accompany systems. This normally starts with identifying publicly accessible services such as mail and web servers from their service banners. Many servers will report the Operating System they are running on, the version of software they are running, patch levels and modules that have been enabled, the current time, and perhaps even some internal information like an internal server name or IP address.


Once the tester has an idea what software might be running on the target systems, that information needs to be validated and verified. The information that the tester has can be combined and then compared with known vulnerabilities, and then those vulnerabilities can be tested to see if the results support or contradict the prior information. In a stealthy penetration test, these first steps may be repeated for some time before the tester decides to launch a specific attack. In the case of a strict vulnerability assessment, the attack may never be launched so the owners of the target computer would never really know if this was an exploitable vulnerability or not.


There are a variety of reasons for performing a penetration test. One of the main reasons is to find vulnerabilities and fix them before an attacker finds them. Sometimes, the IT department is aware of reported vulnerabilities but they need an outside expert to officially report them so that management will approve the resources necessary to fix them. Having an expert, second set of eyes check out a critical computer system is a good security practice. Testing a new development or production system before it goes live is also a strong practice.


Down the Rabbit Hole…

At any given time, attackers are employing any number of automated tools and network attacks looking for new ways to penetrate systems. Only a handful of those people will have access to “zero day” exploits; most will be using well known (and hence preventable) attacks and exploits. Penetration testing provides IT management with a view of their network, systems and enterprise from a malicious point of view. The goal for the penetration tester is to find ways into the network that can be documented and fixed before someone with less than honorable intentions discovers the same holes.


Management Support – Top Down Approach

If the company’s security team has already pointed out to upper management the need or lack of security in the environment, penetration testing results aid in justifying additional resources to address those needs. Often an internal IT team will be aware of weaknesses in the security of their systems but will have trouble getting management to support the changes that are necessary to secure the system. By having an outside group with a reputation for security expertise analyze a system, management will often respect that expert opinion. Furthermore, an outside tester has no vested interest in the results besides fidelity in findings. Inside a corporation of any size, there are constant political struggles and resource constraints. Administrators and techies are always asking for budget increases for new technology. By using an independent third party to verify the need, management will have an additional justification for approving or denying the expenditure of economic resources on security technologies.


Similarly, system administrators who know the intricacies of their environment are often aware of how to compromise their networks, systems and databases—thus, these Inside Threats, with inside knowledge are able to gain unauthorized entry at will. By using third party who operates with no inside knowledge, the penetration testing team may be able to identify the same vulnerabilities and help convince management that “separation of duties” and other measures need to be invoked, immediately. A penetration testing team may also be able to prove that an exploit exists while the internal IT staff “knew” it was there but wasn’t quite able to pull all the pieces together to demonstrate the exploit effectively. Remember: the ultimate responsibility for the security of IT assets rests with Management. This responsibility rests with management because it is they, not the administrators, who decide what the acceptable level of risk is for the organization.


Verify Security Posture of the Organization

If the security team is confident in their actions and the status of their networks, systems and enterprise, the penetration test report verify that confidence and competency. Having an outside entity verify the security of the system provides a view that is devoid of internal preferences, politics and biases. An outside entity can also measure the team’s efficiency as security operators. The penetration test alone does not make the network more secure, but it does identify gaps between knowledge and implementation.


Security Training – Continuous Monitoring

If the penetration tester successfully compromises a system without anyone knowing, this could be indicative of a failure to adequately train staff on proper security monitoring. Testing the monitoring and incident handling teams can illustrate the need for further specific training or general-level user training. When the security staff doesn’t identify hostile activity, the post-testing reports can be used to help them identify weak technical areas to hone their incident response skills.


Standards, Compliance and Regulatory Requirements: People, Processes and Technology

Using penetration testing as a means to identify gaps in compliance is a bit closer to auditing than true security engineering, but experienced penetration testers often breach a system or perimeter because someone did not get all the machines patched, or possibly because a non-compliant machine was put up “temporarily” and ended up becoming a critical resource. In today’s heavily regulated environment, many organizations are looking for better ways to continually assess their compliance posture. Most regulations have multiple components specifically related to system auditing and security and thus a multi-faceted approach incorporating industry-specific compliance requirements, is imperative.


Testing New Technology

Most IT resources today in business, across all functional areas, are critical. The ideal time to test new technology is before they go into production. Performing a penetration test on new technologies, applications and environments before they go into production can often save time, money and frustration because it is easier to test and modify new technology while nobody is relying on it.