Ready to Start Your Career?
By: ryan c
June 4, 2015
Vulnerability Assessment & Penetration Testing, An Analysis
By: ryan c
June 4, 2015
The following is a re-post of the excellent PowerPoint presentation created by Cybrary SME @ethicalmjpen regarding Vulnerability Assessment and Penetration Testing and how the two differ, and overlap. We wanted to share this on the blog because the content in explaining the two topics, is very concise and offers great insight. To download the actual slides, Go Here.
Vulnerability Assessment & Penetration Testing, An Analysis and Comparison - by @EthicalMJPenVulnerability Assessment
- Is the assessment of a system to determine if it has vulnerabilities or weaknesses that need to be resolved or patched.
- Is also known as a security audit.
- Can be performed by one person or a team of vulnerability researchers or security engineers.
- Is often known as a flaw or weakness that could be exploited by an outside attacker or compromised by internal personnel.
- Is necessary because many organizations, companies, and health facilities are required to meet certain compliance.
- HIPAA regulations are important so that health facilities hire the services of pen testers in order to meet compliance with vulnerability assessment being a great portion of the service.
- Nessus is on of the most popular vulnerability scanning tools. It is a commercial product and many companies often desire an individual that is skilled with it.
- OpenVas, which is the older open-source version of Nessus, is still available. It comes pre-packaged with Linux distributions such as Kali Linux.
- Nexpose – The vulnerability scanner, which is by Rapid 7, is available and highly capable of scanning a system for vulnerabilities with accuracy.
- There are plenty of open-source tools available, so I suggest that you take time to try them in your virtual lab.
- Do not choose an active target under any circumstances without authorization. Always obey the law!
- Vulnerability Assessments do not involve any steps to fix or apply patches to a system.
- The objective of a vulnerability assessment is to determine the vulnerabilities and report them to the client.
- The assessment must be requested and authorized by the client prior to the performance of the assessment.
- The laws and permission of the client are in place to protect the client and security engineer form liabilities and legal backlash.
- Penetration Testing includes the actual exploitation of the vulnerabilities that are discovered during the phases of the vulnerability assessment.
- It includes vulnerability assessment; however, vulnerability assessment does not include penetration testing.
- Rules of engagement (ROE) are signed and understood by both parties before the beginning of a penetration test. The ROE limits the penetration testers from touching targets that are not permitted by the client.
- Penetration testing usually falls under three categories: Black Box, Gray Box, and White Box.
- Black Box does not include any knowledge of the structure of the system, so this type of testing simulates the approach of an outside attacker.
- Gray Box includes only a limited knowledge of the layout of the target.
- White Box testing occurs when a penetration tester has complete knowledge of the layout of the target(s).
- My personal experience in pen testing is primarily from a black box testing perspective. Black box testing will surely test your knowledge and training in penetration testing.
- If the penetration test requires a team, the success of the it is heavily dependent on the cohesion of the team. A strength in one can balance the weakness in another.
- Penetration testing is not about ramming a tool into the most fortified part of a system, but using it to exploit the overlooked weaknesses.
- During a pen test, my team had to request permission to touch additional system that were found. We then received permission. The rules of engagement are in place for a reason.
- The key difference between vulnerability assessment and penetration testing is the lack of exploitation in vulnerability assessment and the actual exploitation in penetration testing.
- Permission must be granted to carry out either or both of these operations.
- Obey the cybercrime laws and regulations at all times.
- There are many available tools, yet one should not simply rely on only one tool to fit every situation.
- To gain further experience and training; research OWASP, create virtual labs, and complete the training on Cybrary.