Infosec pros often find vulnerabilities during a penetration test, but that isn’t a vulnerability assessment. The two shouldn’t be confused, says Torsten George, vice president of marketing and product management at cyber risk management software vendor RiskSense.
Unfortunately, George says in a column published this week, many think they are the same.
“To strengthen an organization’s cyber risk posture, it is essential to not only test for vulnerabilities, but also assess whether vulnerabilities are actually exploitable and what risks they represent.” A penetration test is one facet of a vulnerability assessment, to be used to determine if a vulnerability can be exploited.
Although you can hire a third-party to do a vulnerability assessment of networks, applications and databases, the SANS Institute offers a whitepaper on how an organization can do one itself. As with any security practice, to make it effective the assessment has to have a strong foundation of policies and procedure, the paper emphasizes, including change and issues management.
George also warns that focusing on existing vulnerabilities is only the first step in a useful vulnerability management process. Infosec teams have to determine whether each vulnerability is actually exploitable. “Skipping this step is not only a waste of money, but more importantly creates a longer window of opportunity for hackers to exploit high risk vulnerabilities,” he writes. “Ultimately, the goal is to shorten the window attackers have to exploit a software flaw.”
SANS also advises the vulnerability assessment process has to be regularly conducted to really minimize the overall risk.
Finally, remember there’s a third element to a well-rounded security strategy: A cyber risk assessment, George points out, takes into account all the contributing factors including asset criticality, vulnerabilities, external threats, reachability, exploitability, and business impact.
Risk assessment, vulnerability assessment and penetration testing make a potent trio.