The cybersecurity space is so “wide“ that practitioners in the field also often confuse the conversation by conflating terms like Vulnerability Assessment, Vulnerability Scan, and Penetration Test. We have many clients call for a “Penetration Test” what they really need is a fundamental assessment of their cybersecurity posture relative to risk and vulnerabilities.
Any new Cybersecurity Program should start out with a fundamental analysis of the organization’s risk and vulnerabilities in their IT realm using an experienced practitioner. A true Vulnerability Assessment will entail two separate and distinct processes: a Risk Assessment and a Vulnerability Scan.
A professional Vulnerability Scan requires the use of a commercial tool and an experienced practitioner. Web applications, internal and external networks are scanned for vulnerabilities in patching, port openings, etc. A good report report will identify mitigation strategies and include a summary.
Together, the Risk Assessment and the Vulnerability Scan will comprise a true Vulnerability Assessment. Identified vulnerabilities and risks are imperative for executive leadership to determine the organizational value of further testing. To conclude a “Penetration Test“ in which your vulnerabilities will be exploited by an experienced practitioner. This approach provides a sound foundation for a solid cybersecurity program.