PenTest vs Vulnerability Assessment?
What should you get from a security vendor? Lets break it down.
Black Box vs White Box:
Black Box is without credentials or any information including public IP information; the concept or goal is that you are testing to determine what someone in another country with no information could do to your organization.
White box is the other side of the spectrum; you provide as much documentation as you can to the security testers. The risk being is if you don’t provide information the probability of missed security risks increases.
External vs Internal:
An external assessment never looks at any of your internal equipment. Your security risks on the inside may be the largest risk you have which would be entirely missed.
An internal assessment is going to be able to look at all of your equipment and be able to assess the risk entirely. Internal is always more costly than external due to the scope of the work.
Remote vs Onsite:
If you never go onsite, you can’t try to breach wireless, find a computer that nobody is using but never logged out of, or try to plug into network ports that aren’t secure.
Being remote however does not mean you can’t evaluate the security of those examples. You can look at wireless configurations, switch configurations, and policy and governance in regards to computer timeouts and lockouts.
Vulnerability Assessment vs Penetration test:
A vulnerability assessment is when you have a product like Openvas, you input some IP addresses and click scan. This costs little to nothing to do. It then provides a technical review of the discovered network based vulnerabilities. This approach however misses a myriad of security risks.
A penetration test is where you have a highly skilled security professional with 10+ years experience in the IT industry who knows all the usual ways to break into organizations. They follow a Penetration testing standard like the Penetration Testing and Execution Standard(PTES) which goes in depth into breaching the organization. This requires extensive skills and takes significant amounts of time; therefore very costly.
Common Combinations:
Black box External Remote Penetration test:
This combination is testing what a skilled hacker from another country might be able to access. The immense cost of a penetration test is reduced when the security professional is not expected to go onsite or review information. Providing your public IP addresses help reduce cost. This does have the risk of missing many risk factors; especially internally.
Black box External Remote Vulnerability assessment:
This combination is what we are offering to our membership for free. We take your external public IP addresses, scan them and provide a report.
White box Internal Remote Vulnerability assessment:
This combination consists of providing a security professional VPN access to the network and ability to scan all subnets on the split tunnel. Documentation and information is generally provided. The cost of this is approach is lower because it’s just a vulnerability assessment, but you end up with a very good report of your entire infrastructure. The cost of these engagements are low.
Black box External Onsite Penetration test:
This combination is testing what a skilled hacker who is using social engineering or other techniques to break into your organization. Your physical security will be tested. Your staff’s security will be tested. These are usually called red teams. They will lockpick doors, convince people they are someone with authorization to be onsite, and they also need to know computer security to great depth. This is a very costly engagement due to the large number of skills needed. However, this is without a question the best security evaluation that can happen.