Today we have another great blog post from our friends over at Credit Union Resources. Idrees Rafiq, Jr., AVP of IT Consulting at CUR brings us a post about the differences between vulnerability assessment testing and penetration testing when it comes to your IT systems.
Although similar in nature, external vulnerability assessment testing and penetration testing are quite different. Both identify security vulnerabilities on the perimeter of a network that a hacker would be able to use to compromise the credit union’s network. The differences reside in scope, price, and frequency requirements.
When describing the differences to credit unions, I like to use the analogy of testing the security of a physical branch. A VAT would be similar to me walking around the branch, pulling on doors, windows, and roof hatches, making sure they are locked and secured. Should the employee entrance/exit door be unlocked, I would report that back to you and let you know that I would be able to break into your credit union via that door.
A penetration test would be similar to me doing the same walk-around; however, I would actually go into the unlocked door and try to steal confidential information and other assets before setting off any alarms. A penetration test is an ‘ethical hack’ while the VAT simply identifies a vulnerability in a network that a hacker would be able to exploit from the outside (i.e. open ports). Because the vulnerability assessment tests are less intrusive, the price is more palatable for credit unions.
The NCUA recommends credit unions perform VAT’s anywhere from weekly to quarterly and penetration tests anywhere from annually to bi-annually. The frequency of the tests are determined by several factors to include, but not limited to the budget, size and complexity of the credit union, and the deployment of multi-layered security as identified in the credit union’s information security risk assessment.
Feel free to contact me directly (email@example.com) if you would like help determining if your credit union is taking proper proactive security measures, ensuring you will satisfy examiners, or not wasting money on needless testing!