Although similar in nature, external vulnerability assessment testing and penetration testing are quite different. Both identify security vulnerabilities on the perimeter of a network that a hacker would be able to use to compromise the credit union’s network. The differences reside in scope, price, and frequency requirements.
When describing the differences to credit unions, I like to use the analogy of testing the security of a physical branch. A VAT would be similar to me walking around the branch, pulling on doors, windows, and roof hatches, making sure they are locked and secured. Should the employee entrance/exit door be unlocked, I would report that back to you and let you know that I would be able to break into your credit union via that door.
The NCUA recommends credit unions perform VAT’s anywhere from weekly to quarterly and penetration tests anywhere from annually to bi-annually. The frequency of the tests are determined by several factors to include, but not limited to the budget, size and complexity of the credit union, and the deployment of multi-layered security as identified in the credit union’s information security risk assessment.
Feel free to contact me directly (irafiq@curesources.coop) if you would like help determining if your credit union is taking proper proactive security measures, ensuring you will satisfy examiners, or not wasting money on needless testing!