Difference between security audit, network or risk assessment, and Penetration Test
Many
organizations offer security services and use terms such as security audit, network
or risk assessment, and Penetration Test with overlapping meanings.
By definition, an audit is a measurable technical
assessment of a system(s) or application(s).
Security assessments are evaluations of risk,
meaning services used to identify vulnerabilities in systems, applications, and
processes.
Penetration Testing goes beyond
an assessment by evaluating identified vulnerabilities to verify if the
vulnerability is real or a false positive. For example, an audit or an
assessment may utilize scanning tools that provide a few hundred possible
vulnerabilities on multiple systems. A Penetration Test would attempt to attack
those vulnerabilities in the same manner as a malicious hacker to verify which
vulnerabilities are genuine reducing the real list of system vulnerabilities to
a handful of security weaknesses.
The most
effective Penetration Tests are the ones that target a very specific system
with a very specific goal. Quality over quantity is the true test of a
successful Penetration Test. Enumerating a single system during a targeted
attack reveals more about system security and response time to handle incidents
than wide spectrum attack. By carefully choosing valuable targets, a Penetration
Tester can determine the entire security infrastructure and associated risk for
a valuable asset.
Penetration
Testing evaluates the effectiveness of existing security. If a customer does
not have strong security then they will receive little value from Penetration
Testing services. As a consultant, it is recommended that Penetration Testing
services are offered as a means to verify security for existing systems once a
customer believes they have exhausted all efforts to secure those systems and
are ready to evaluate if there are any existing gaps in securing those systems.
No comments:
Post a Comment