Vulnerability Assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. In addition, vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use. In most of the cases we use a commercial software tools to perform those assessments. After the tool asseses the required systems we further analyze the generated report, conduct additional assessments and further complement the report. It is a good practice to do such an assessment at least twice a year, in order to analyze if new vulnerabilities are documented for your specific infrastructure in the time between assessments.
Security Assessment could be defined as an add-on to the Vulnerability Assessment. First, we perform the Vulnerability Assessment, and then continue with the analysis of security policies, design, configurations, and security requirements. It is an extensive assessment and practically aims to be a complete assessment of all your IT systems. The goal of the Security Assessment is to ensure that necessary security controls are integrated into the design for a particular implementation. It is a thorough evaluation that validates security posture and/or detects possible weaknesses. The Security Assessments are invaluable for understanding the current security posture. The output of such assessment is a detailed report including the assessments performed, and the vulnerabilities found, along with their potential impact and general guidelines how to fix them. This information is helpful in making educated decisions and applying the appropriate resources that will make the most meaningful impact.
External Penetration Testing
The penetration testing is something different than the Security Assessment and the Vulnerability Assessment. In essence a pen-test team simulates a controlled (internal or external) break, where it's goal is the achieving of a certain level of system/data access. The benefit is the understanding of how resilient a system is against determined attackers. The External Penetration Testing consists of a review of vulnerabilities that could be exploited by external users without credentials or the appropriate rights to access a system.
Internal Penetration Testing
Internal Penetration Testing aims to validate the protection from internal threats and ensures that internal user privileges cannot be misused. Too often organizations rely on the first line of defense to prevent attacks. A successful attack may occur from the inside and strange enough, the possibility for this is quite big.