IT Examiner School

Vulnerability Assessment vs Penetration Tests

High ‐ level comparison: • Vulnerability Assessments ‐ identify where facilities or networks are at risk • Penetration Tests ‐ subject a network(s) to “real life”

cyber events internally and externally Both should be performed, at least annually.

Vulnerability Assessments

• Requires specific skills/knowledge • Audit team tries to find weak points • Tools used simulate a variety of attacks • Results are used in Penetration Testing for potential exploitation Testing:

Basic Vulnerability Assessment description:

• Checking building windows and doors to see if they are secured • Checking if building is susceptible to other events, e.g. natural catastrophes