Skip navigation

Monthly Archives: March 2014

Those of you who have been working in the IT security field, at some point would have definitely come across some terms which at first glance, (inspite the apparent obvious similarity) seem to imply the same thing.

Sometimes it is also the case that such terms are even erroneously used interchangeably, which creates confusion on what is exactly required. Such confusion not only creates a communication barrier between different levels of management but also leaves people in a state of limbo as to where to begin to tackle the problem.

I am talking about Risk Analysis and Risk Assessment, Vulnerability testing and Penetration testing.


One fine morning, everything seemed normal, however, once I reached the office, it was not quite so. The day has come when management realised that their trusty firewall might not be enough to protect the business assets, despite ongoing recommendations. Geared up for this day, I immediately triggered the plan in motion and proposed the way forward. Unfortunately risk confusion kicked in and this is where terms such as Risk analysis, Risk assessment Vulnerability and Penetration tests were thrown at me all in once sentence.

Management’s expectations were that all would be done by the end of the day (or two), which was far from the case. I immediately hit the brakes and ran an intervention with management to explain that all those terms actually mean different things and also pointed out that all would yield different results. It was therefore necessary to explain what is what and what comes before what to achieve the required objectives.

Risk Analysis comes before anything. Risk analysis is a process which is performed to gather the threats and associate vulnerabilities your business assets are exposed to. This is a holistic process which would return a cost/benefit analysis. Risk analysis takes into consideration the type of business and the most/least probable threats such a business (whether financial, retail, manufacturing etc.) is exposed to.

Risk Assessment follows. A Risk Assessment is a method of focusing on where the business is with respect to the level of risk exposure and where the business wants to be in the future. During this process the business’ existing security controls are examined to ensure that they do provide the expected level of security.

To further provide a meaningful risk assessment strategy, vulnerability and penetration testing could take place, but which one? Once again, both vulnerability and a penetration tests are terms which are used interchangeably but they do not necessary imply the same thing. By performing a vulnerability test, one is assessing the level of probability that a threat agent can expose a weakness in the business’ security infrastructure. A penetration test, goes a step further, by not only exposing such weakness but by taking advantage of it and attempting to expose further any vulnerabilities that were not identified by the initial vulnerability test. As an example, let us assume a website which is vulnerable to an SQL injection attack and once compromised, by the attacker, the database data is also successfully extracted and copied on a remote destination belonging to the said attacker.

However, while actually performing this attack during a penetration test, it emerged that during the process of performing the SQL injection and copying the database; the original database was left in an inconsistent state and has been corrupted. This not only proved that there has been an information breach due to the unauthorised disclosure and duplication of the database but also it was discovered that the original database had been left in an inconsistent state which also creates availability issues for the business. To summarise, the vulnerability test identified an SQL Injection vulnerability but a penetration test also revealed that and a denial of service attack was also possible.

Any weakness in the business’ existing (or lack of) security controls will emerge during a risk assessment and such risk will then be remediated through the risk management program to achieve the desired level of risk acceptance by the business.

Although it may not be including as one of the buzz words, Risk Management is the final but ongoing process required to bring the business risks down to an acceptable level. This means that if for example a technical security control is not present, a business policy might be issued as a corrective control to counteract the lack of a technical control through an administrative one. The process of ensuring constant policy compliancy is also part of Risk Management and it can be said that the Risk Management process is never ending, as long there are assets to protect.