Security Assessment / Audit Terms

Security terms are sometimes confusing. And like all expressions, sometimes the definition can get subtly changed over time. An example of this is "security assessment" versus "penetration test". I was at a client site yesterday talking about current security initiatives that were on the table. The security manager mentioned that they needed a penetration test done. My first question was, "do you want a pen test, or a security assessment?" He stared at me for a second with a blank look, and I realized that he uses those terms interchangeably.

So I ran quickly through what each one was. The guy is not not dumb. When I explained the differences, he understood what I meant. He had simply heard the term "pen test" used to mean security assessment so many times, he started doing it himself (something I have done before as well). And yes, he wanted a security assessment.

And to briefly tell you what I told him, a penetration test is a focused attack of a single or a few vulnerabilities that are generally already known to exist or are suspected of existing. A security assessment is done to find the vulnerabilities in the first place and is a holistic look at security.

Another term that is sometimes mixed up with "security assessment" is "security audit". The way I differentiate between these two terms is by asking these two questions:

1. Do you have a security policy that you want to be tested against?
2. Do you have a compliance regulation (PCI, SOC, HIPAA, etc.) or standard (ISO 17799, COBIT, etc.) that you want to be tested against?

If the answer to either of these questions is "Yes", then it is an audit.  Plain and simple.  Another term for this is "gap analysis".  If you have something you are testing against, then you are performing an audit.  If you just want to get a good look at your security posture, then it is an assessment.  But remember that from the level of work done (depending on the granularity of your security policy), these can look very much the same.

Also remember that security assessments do not have to be all-encompassing.  A security assessment can be done on just your wireless network, your web applications (known simply as an "application assessment"), on the configuration of your firewalls, or whatever.  It can even be done on your security policy itself (though some people would tend to call this a policy review and not an assessment).

So basically, you can have an assessment done to reveal weaknesses in your security policy that you want to be audited against, revise your security policy, perform an audit against that policy, and have a penetration test performed on the vulnerabilities found.  And you can do that all in one engagement!  How fun!

But seriously, knowing the differences between the terms is invaluable when talking to a security consultant.  It will save you both time and headaches.  And it will ensure that you get the outcome that you are looking for.