Penetration Tests vs Vulnerability Assessments

25th November 2016

Author: Joe Flanagan, Security Consultant, Sapphire

To protect against hackers, it’s important to be able to quantify the level of risk to your business. Deciding whether a penetration test or a vulnerability assessment is right for you can be confusing. Understanding the difference between the two and the varying levels of security that they provide against the threat that hackers pose is crucial.

It’s generally understood that a vulnerability scan is usually carried out with an automated tool; it will show which vulnerabilities are present in your systems, where they are located and often how to remediate those vulnerabilities.

However, what it will not confirm is whether those vulnerabilities can be exploited and how severe the risk might be and may therefore lead to a misallocation of resources. Something that came up as a relatively low risk in a vulnerability assessment may be exposed as far more dangerous following a penetration test. For instance an attacker might be able to pivot from a system normally deemed unimportant and then use it to take control of a far more vital system.

An example of this was the Bangladesh Central Bank Hack, which was first reported in February 2016. A $10 router was used to steal the credentials of central bank employees allowing the attackers complete access to the banks internal network. The thieves made off with $81 million dollars because the bank simply hadn’t deemed the router important enough. A professional penetration test would have demonstrated this issue very clearly and allowed the bank to remediate it.

By far the most popular attacks we’ve seen this year are phishing emails.  Malware is used to steal usernames, passwords, credit or debit card information or in the case of Ransomware it might encrypt your companies systems making them inaccessible. The criminals will then demand a ransom for unlocking your own systems. Every user has their ‘off day’ and is prone at some point to phishing attacks. Whilst this threat can be reduced with specialised training, it can never be totally eliminated. The only real way to know the extent of the damage this type of attack might cause is with a penetration test. This would allow your company to construct a defence in depth plan. If a criminal had phished their way into your network, it is key to know what they would be able to reach and vital that they are kept several stages away from your most important servers.

Another real issue that companies face is that of the malicious or vulnerable insider. It is all very well having someone scan your network from the outside, but if your own employees are feeling disgruntled or they have been threatened then the risk is far greater. A vulnerability assessment isn’t going to show you how much damage each of these individuals might be capable of. A penetration test could show you the level of risk for each level of privilege that each user has in your business. It will show if the privileges of the lower levels of user can be escalated and used to gain complete control of systems at the executive level.

A publicised example of this was Distribute.IT, a leading technology company based in Australia. This company issued SSL certificates and provided SMS services and would probably be considered very tech savvy. So when their network found itself completely taken offline by an attacker they responded by immediately rebuilding the network and making it stronger. They wrongly assumed the attacker was an outsider. A penetration test would’ve shown that the threat was far more likely to have come from the inside; it might even have directed Distribute.IT to the specific user set from where the attack was coming. Sadly their weeks of effort were misdirected; the network was taken out completely for a second time a few hours after it was back online. The company had been impacted again by a member of staff who had become susceptible to criminals.

Everyone would agree that it is vital to review and test web applications. Vulnerability assessment will uncover vulnerabilities and may even flag the app as being vulnerable to an SQL injection. However it doesn’t necessarily indicate the level of importance of that particular SQL database, nor does it mean the web app is definitely vulnerable. Scanners can sometimes return false positives. Therefore you might find yourself spending time and money fixing a problem that wasn’t definitely a problem to begin with. Meanwhile an attacker could be exploiting a vulnerability that appeared to be of less importance to the vulnerability scanner.

To surmise, a vulnerability assessment is a good place to start, it can point to the problem areas within your security posture and can sometimes show you how to fix them. However it’s going to be less accurate in assessing risk, sometimes returning false positives. It’s also not going to be a specifically targeted assessment in the sense that it won’t directly answer whether your business critical systems are vulnerable. It will simply demonstrate that a potential vulnerability exists in a certain place.

To gain a true understanding of the extent of damage a hacker can do, human interaction is crucial.  A penetration test will remove false positives from the vulnerability assessment and show a greater accuracy at listing vulnerabilities according to severity. Most importantly it will allow you to mitigate these risks with a greater efficiency thereby making your company more secure than a vulnerability assessment alone.