Where the vulnerability assessment tries to discover and list as many potential weaknesses as possible, penetration testing focuses on the specific objective of system compromise and data access. It is like a ‘capture the flag’ exercise. Penetration testing may include the following activities:
- Password stealing and cracking, or brute-forcing
- Executing of exploits against vulnerable services
- Non-technical methods like social engineering or breach of physical security
- Implementation of technical surveillance devices like key loggers, cameras, or listening devices.
The penetration test aims to validate the discoveries made during the vulnerability assessment and to establish a root cause of the vulnerabilities.
An important part of penetration testing is to conduct a risk assessment in relation to the vulnerabilities. An assessor would evaluate the security controls implemented by the organisation and the public availability of the exploits and the difficulty of the exploitation.
In conclusion, penetration testing is a stage in the overall vulnerability management process and often follows the vulnerability assessment.
The vulnerability assessment can be an ongoing, continuous process, while penetration testing would be conducted at specific intervals.