In today’s ever changing cybersecurity landscape, your organization must do everything possible to protect critical assets. Both vulnerability scans and penetration tests play an important role in managing cybersecurity vulnerabilities, but they are often confused. And equally important, know which should be considered when securing your security posture?
Let’s explore the differences!
What is a vulnerability assessment?
A vulnerability assessment (also known as a vulnerability scan) is a point-in-time engagement that identifies vulnerabilities in computer systems, applications, and network infrastructures. Vulnerability assessments provide the organization with the necessary knowledge, awareness, and risk background to understand and react to the threats within the environment.
What is vulnerability management – and how does it differ from a vulnerability assessment?
Vulnerability management is the cyclical (continuous) process of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. A vulnerability assessment has a specific start and end date – while vulnerability management is ongoing.
Why is vulnerability management important?
Newly identified vulnerabilities and emerging cyber attacks expose businesses to risk every minute of every day. This is not fear, uncertainty, and doubt; every day new advisories, patches, and exploits are published. Vulnerability management is recommended in guidance set forth from the CIS, NIST, and countless regulatory and compliance frameworks (PCI, CMMC, NYDFS, etc).
Why is continuous vulnerability management important?
Your organization’s internal, external, and cloud attack surface is constantly changing due to new company acquisitions, network mergers, turnover in staff, change in service providers and assets, routine network maintenance, and planned technology upgrades.
How do I perform/automate vulnerability management?
There are several methods for building a vulnerability management program – by internally leveraging resources and COTS software or by engaging with a qualified managed security service provider (MSSP).
In a previous blog post, ‘Why Is Buying Cybersecurity So Difficult?’, we explore about some of the difference between do-it-yourself (DIY), managed security service providers (MSSP), professional services firms, and value added resellers (VAR).
Who is responsible for vulnerability management?
Vulnerability management often falls under the CIO/CTO/CISO hierarchy, though all C-suite should be aware of and champion cybersecurity.
What about a vulnerability assessment vs. a penetration test?
A vulnerability assessment identifies that an issue exists. A penetration test validates the exploitability of the issue and whether compensating controls are in-place that could mitigate the impact. A penetration test is often performed as an annual effort to complement a vulnerability management program. A vulnerability assessment is always a prerequisite to a penetration test. The vulnerability assessment provides an opportunity for you to remediate security vulnerabilities prior to conducting the penetration test.
Where does patch management fit into vulnerability management?
Patch management is a critical component of vulnerability management. It is a process used to update the software, operating systems, and applications on an asset in a logical manner. The purpose of a patch management system is to highlight, classify, and prioritize any missing patches on an asset.
Organizations looking to strengthen their vulnerability management programs (or even establish one) should determine which the organization needs:
- Vulnerability Assessment (point-in-time)
- Penetration Test (point-in-time)
- Vulnerability Management (continuous)
Often times a penetration test is not the right place to start. Unless the organization has a vulnerability management program in place that needs validation, a vulnerability assessment is always recommended first. See our previous blog post, “So You Think You Need a Pentest?’ for additional information.
Identify a qualified provider to perform the assessment.
- Managed Security Service Provider (MSSP)
- Professional Service Firm
- Do It Yourself (DIY)
- Value Added Reseller (VAR)
Depending on the provider, the steps will be different, but the overall process will be the same.
- Identify vulnerabilities leveraging one of the service providers
- Remediate vulnerabilities based on the organizations prioritizations and risk management policies
- Validate remediation with subsequent testing and archive results (for historical analysis, audit evidence, etc)
With the rapid growth of connected ecosystems, organizations will continue to face existing and emerging threats for years to come. But by designing and enforcing a robust vulnerability management program, you can identify and remediate these threats accordingly.