As the momentum for digitalisation develops rapidly, many organisations, both ‘large’ and ‘small’, are unwittingly vulnerable to cyber attacks. This certainly raises fundamental questions. Do organisations know the weak points in their systems and apps that can leave room for cyber attacks? Or is the organisation aware of the vulnerability, but does not know what to do about it?
It is undeniable that organisations must regularly look at the security loopholes in their systems and apps. This is an important part of the organisation’s performance evaluation process. Organisations must develop adaptive and resilient digital security practices to address the new demands of digital business. Security testing methods commonly used by organisations today include vulnerability assessments and penetration testing.
Very often, both are interpreted as being one and the same, when in fact, the two methods are different cyber security initiatives. It is important for organisations to understand the difference between the two, in order to be able to choose the most appropriate method to be adopted at the right time.
In general, vulnerability assessments can assist organisations in identifying and quantifying the vulnerabilities in their systems, apps and infrastructure. However, this method is not suitable for conducting in-depth evaluations, for example, to find out whether or not the vulnerability can be exploited. In simpler terms, the basic aim of a vulnerability assessment is to find existing vulnerabilities and filter out which types of threats the organisation should be wary of and which can be considered as merely being false positive threats. In addition to finding indications of vulnerability, this method also looks at whether the security measures taken are appropriate in dealing with potential threats (with the worst impact) against any important company assets. With vulnerability assessments, companies can find out what vulnerabilities exist and can make improvements to existing vulnerabilities.
On the other hand, penetration testing is more than just identifying vulnerabilities. Penetration testing is much more detailed and covers various aspects, giving a more comprehensive picture of the overall security of the company. In penetration testing, testing is performed by penetrating the security of an organisation’s information system network using a variety of different tools and technical approaches. With this method, testing is carried out similar to that of a hacker (ethical hacking) simulation, looking at how many vulnerabilities can be exploited and attempting to exploit the system’s loopholes to obtain important and sensitive organisational data (trying to gain access to the system). The results of testing using this method will inform reports and recommendations regarding actions that need to be prioritised by an organisation to make its system safer from cyber attacks. This report can also help developers in developing apps and websites that are more secure. Now that you know the difference between the two, which one do you need most right now? A vulnerability assessment or penetration testing? For a detailed picture, here is a brief overview of the differences between the two testing methods:
| Vulnerability Assessment | Penetration Testing | |
| Objective | This method can provide important information regarding the identification of security loopholes, including security precautions that have not been implemented or are inappropriate. | This method goes beyond identifying vulnerabilities, by trying to exploit discovered vulnerabilities and conducting manual testing to gain access to the system/ sensitive information. |
| Focus | Focuses on system vulnerabilities (unpatched systems), infrastructure and software, the level of vulnerability, and other details. | Focuses on how cyber attackers and hackers can exploit vulnerabilities and quantify damage if they carry out a successful attack |
| Approach | An approach that is oriented on a broad coverage for security testing | An approach that is oriented towards specific security testing |
| Form of report | Identifies security vulnerabilities and attack entry points along with potential threats that can occur based on the highest threat level. Recommendations for the most appropriate method of security mitigation based on the identified vulnerabilities found | Assessment report on the exploitation of a security system that has successfully penetrated and the potential damage that can be caused. Also comes complete with documentation on security loopholes and recommendations, as well as effective and efficient steps to preventing cyber attacks on systems through exploited loopholes |
| Tools | Performed using an automatic scanning tool | Mostly involves manual processes that are not easily carried out automatically (event though automatic scanning can be done as part of penetration test, the next step is to further explore network vulnerabilites and apps manually, to try to exploit them) |
Want to know more about how to optimise the security of your IT infrastructure and systems through the Security Vulnerability Assessment, and Telkomtelstra’s Penetration Testing service? Contact Telkomtelstra now!
Our Professional Security Services for Security Vulnerability Assessments Penetration Testing have assisted a number of Indonesian companies from various industries in obtaining a comprehensive analysis of security vulnerabilities and the impact of these on their organisations. Not only that, but our team of specialist experts also identify and provide the best recommendations to effectively protect organisations from cyber attacks against network systems, applications and infrastructure.(*)