Vulnerability Assessment (VA) is the process of identifying and classifying vulnerabilities in the target system. This process analyzes operating systems, application software, as well as hardware and networks to identify known and unknown vulnerabilities (Zero-day). These vulnerabilities occur because of improper software design, unsafe authentication, or even because of the many vulnerabilities due to programming and configuration errors.
VA generally includes 5 distinct phases:
1. Goals & Objectives: defines the objectives and targets of the VA;
2. Scope: during the execution of the assessment and of the tests, the environment and the perimeter must be clearly defined on the basis of the resources to be tested. There are three methods of execution:
- Black Box: test from an external network without any knowledge of networks or internal systems;
- Gray Box: test from an external or internal network, with knowledge of networks and internal systems. This is usually a combination of black box and white box tests;
- White Box: running the test within the network with the knowledge of network architecture and systems.
3. Information Gathering: this is the phase in which information is collected. The aim is to obtain as much information as possible on the IT environment, such as networks, IP addresses, the version of operating systems and software.
4. Vulnerability Detection: in this phase some automated tools such as vulnerability scanners are used to identify and catalog known vulnerabilities by scanning targets.
5. Information Analysis and Planning: this phase is used to analyze the identified vulnerabilities, correlated with the information collected on the IT environment, to devise a possible plan to penetrate the network and the target system.
Penetration Test (PT) is more an art than a science and it is a process that we can define as ethical Hacking. It is a set of activities that aim to gain unauthorized access to authorized resources. PT is an ethical hacking because it allows you to try to break into your system to see how complicated it would be to attack. The purpose of the PT is to be able to access a system using tools and techniques similar or equal to those used by hackers. So, the penetration tester tries to exploit any known vulnerability or zero-day (more difficult to find) to gain unauthorized access.
Like VA, there are different phases for PT too which correspond to three modes of execution of PT:
- Zero-knowledge: the penetration tester has no information about the target environment;
- Partial knowledge: the penetration tester has partial information about the target environment;
- Full knowledge: the penetration tester has complete access to information and to the architecture of the target environment.
What is the difference between Vulnerability Assessment and Penetration Test and how do we decide which one to use?
The differences between VA and PT are:
- VA is carried out to automatically identify weaknesses through specific software and rarely in manual mode;
- VA can be carried out easily and quickly;
- VA costs less than PT;
- Rarely does VA cause permanent damage to the system, but it can cause delays;
- VA can be performed often, even monthly;
- VA has a protection level lower than PT because it warns against any known vulnerabilities;
- Often VA is the activity that precedes PT;
- PT is carried out to stress the system through specific techniques and processes in order to expose any weaknesses that can be exploited by exploits;
- PT requires a longer execution time than VA and requires specialists, even from different sectors (for example web, DB, network, etc.);
- PT costs more than VA;
- PT can cause permanent damage to the system, sometimes non-recoverable even through backups;
- PT has a higher level of protection than VA because any known and unknown (zero-day) vulnerabilities are tested;
- PT can be carried out on average once a year.
The main difference between VA and PT is in the aim: with VA one stops before compromising a system, while with PT one proceeds without delay to the predefined objective which has been shared with the owner or manager of the system.
The choice of whether to carry out a VA, a PT or both must be based on a careful analysis of the costs-benefits, considering what level of protection you want to achieve, the criticality of any damage to the system (temporary or final) and the actual exposure to an attack tested empirically.