Vulnerability Assessment & Penetration Test
IT security management for an enterprise consists of a number of proper processes that cover specific scopes, such as perimeter security, protection against virus, spam, intrusion attempts and securing information belonging to that enterprise. Effectiveness of the applied security measures, must be steadily reviewed in order to identify new treats or non-conformities, due to new business needs, technology evolution or new malicious tools evolution that are at the disposal of intruders.
One of the fundamental processes that a company must implement for a continuous audit and for the implementation of efficient technological security measures, is the vulnerability assessment, which allows the management of vulnerabilities that information systems are subject to
The available tools for the earlier mentioned purposes are many:
Vulnerability Assessment (VA)
Allow to obtain a list containing immediate identifiable vulnerabilities (software vulnerabilities, default passwords, etc.) for a subsequent remedy, by assigning them proprieties and structuring remedial measures, in a relatively short space of time.
The vulnerability assessment process is conducted with technological solutions which are designated to analyse company’s networks and detect, learn, and classify devices connected to it, scan for potential vulnerabilities (for example non-updated software, invalid certificates, unnecessarily opened TCP ports or services, etc.), review criticalities associated to each single vulnerability in line with to the importance of the afflicted system (asset value) and the potential impact (threat), evaluate the necessity of implementing corrective actions – in order to bring back the system at an accepted security level – and finally, review the effectiveness of the implanted actions.
Vulnerability Assessment tools perform vulnerability scan in semi-automatic mode, which detects a small proportion of potentially present breaches. Therefore, such an activity must be carried out through specialized activities accomplished by internal and external organizations that are characterized by a high competence level in the security field, that is they are able to conceive the results and identify false-positives.
Penetration Test (PT)
The penetration test (eventually integrated by a Vulnerability Assessment) instead, allows a systematic review on the field by simulating digital attacks on the company’s IT infrastructure in order to evaluate the actual security level. practically, using numerous sophisticated technical tools and completely manual activities, attempts are made to gain unauthorized access to one or more systems/networks with the highest privileges, as well as analysing all issues linked to logical application or any process breaches, These sort of issues could not be identified without such a real simulation of a malicious users (Ethical Hacking).
Unlike the Vulnerability Assessment, the Penetration Test is not necessarily focused on detecting, analysing and describing each vulnerability located on systems, but it focuses on the effective exploitation of each security issue. The two tools are hence different, however, each with its own measure takes part in drawing up a complete picture of the security status when they are run together.