Vulnerability Assessment & Penetration Testing, An Analysis

Join Cybrary

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

< Back to Blog Posts

Vulnerability Assessment & Penetration Testing, An Analysis

Published: June 4, 2015 | By: ryan | Views: 2750
save

The following is a re-post of the excellent PowerPoint presentation created by Cybrary SME @ethicalmjpen regarding Vulnerability Assessment and Penetration Testing and how the two differ, and overlap. We wanted to share this on the blog because the content in explaining the two topics, is very concise and offers great insight. To download the actual slides, Go Here.

Vulnerability Assessment & Penetration Testing, An Analysis and Comparison – by @EthicalMJPen

Vulnerability Assessment

  • Is the assessment of a system to determine if it has vulnerabilities or weaknesses that need to be resolved or patched.
  • Is also known as a security audit.
  • Can be performed by one person or a team of vulnerability researchers or security engineers.
  • Is often known as a flaw or weakness that could be exploited by an outside attacker or compromised by internal personnel.
  • Is necessary because many organizations, companies, and health facilities are required to meet certain compliance.
  • HIPAA regulations are important so that health facilities hire the services of pen testers in order to meet compliance with vulnerability assessment being a great portion of the service.

Vulnerability Assessment Tools

  • Nessus is on of the most popular vulnerability scanning tools. It is a commercial product and many companies often desire an individual that is skilled with it.
  • OpenVas, which is the older open-source version of Nessus, is still available. It comes pre-packaged with Linux distributions such as Kali Linux.
  • Nexpose – The vulnerability scanner, which is by Rapid 7, is available and highly capable of scanning a system for vulnerabilities with accuracy.
  • There are plenty of open-source tools available, so I suggest that you take time to try them in your virtual lab.
  • Do not choose an active target under any circumstances without authorization. Always obey the law!

Vulnerability Assessment Key Points

  • Vulnerability Assessments do not involve any steps to fix or apply patches to a system.
  • The objective of a vulnerability assessment is to determine the vulnerabilities and report them to the client.
  • The assessment must be requested and authorized by the client prior to the performance of the assessment.
  • The laws and permission of the client are in place to protect the client and security engineer form liabilities and legal backlash.

Penetration Testing

  • Penetration Testing includes the actual exploitation of the vulnerabilities that are discovered during the phases of the vulnerability assessment.
  • It includes vulnerability assessment; however, vulnerability assessment does not include penetration testing.
  • Rules of engagement (ROE) are signed and understood by both parties before the beginning of a penetration test. The ROE limits the penetration testers from touching targets that are not permitted by the client.

Penetration Testing – Black Box, Gray Box, and White Box Testing

  • Penetration testing usually falls under three categories: Black Box, Gray Box, and White Box.
  • Black Box does not include any knowledge of the structure of the system, so this type of testing simulates the approach of an outside attacker.
  • Gray Box includes only a limited knowledge of the layout of the target.
  • White Box testing occurs when a penetration tester has complete knowledge of the layout of the target(s).

Penetration Testing – Personal Experiences

  • My personal experience in pen testing is primarily from a black box testing perspective. Black box testing will surely test your knowledge and training in penetration testing.
  • If the penetration test requires a team, the success of the it is heavily dependent on the cohesion of the team. A strength in one can balance the weakness in another.
  • Penetration testing is not about ramming a tool into the most fortified part of a system, but using it to exploit the overlooked weaknesses.
  • During a pen test, my team had to request permission to touch additional system that were found. We then received permission. The rules of engagement are in place for a reason.

Conclusion

  • The key difference between vulnerability assessment and penetration testing is the lack of exploitation in vulnerability assessment and the actual exploitation in penetration testing.
  • Permission must be granted to carry out either or both of these operations.
  • Obey the cybercrime laws and regulations at all times.
  • There are many available tools, yet one should not simply rely on only one tool to fit every situation.
  • To gain further experience and training; research OWASP, create virtual labs, and complete the training on Cybrary.

 

A special thank you to Michael Lassiter for his submissions to Cybrary.  We appreciate every member and hope that you enjoy expanding your knowledge through the training and resources provided.

Get started now learning Vulnerability Assessment and Penetration Testing with these free courses on Cybrary:

Certified Ethical Hacker
Advanced Hacking
Hacking Forensics

 

< Back to Blog Posts
Enjoy this blog post? Want more Cybytes?
Invite a Friend
and share now
Facebook Twitter Google+ LinkedIn Email
Join Cybrary
2 Comments
  1. Hi your article is very informative.

    Do you have any standard process for Vulnerability Management?

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel