Time
1 hour 51 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

Penetration testing vs. Vulnerability Scanning (part 1) This lesson dives into the differences between penetration testing and vulnerability testing and when each should be used. We begin by defining and exploring penetration testing and what data its outcomes reveal. You can also learn the nitty-gritty aspects of penetration testing in our Cybrary online course, Penetration Testing and Ethical Hacking. [toggle_content title="Transcript"] In this video we're discussing in section 3.8. We have to explain the proper use of penetration testing versus vulnerability scanning. We start this section by discussing penetration testing. Organizations could buy the most expensive fire walls, the most expensive intrusion detection systems, they could hire or they could employ the most expensive administrators but does that really mean they're secure? Not really. You could rent the most expensive facilities but that does not really mean you are secure. How do we check for security? You employ penetration testers. These are teams of professionals certified in various areas of information security, physical access, logical access, cryptography, social engineering, and other forms of manipulations. You want this team to test your environment, test your network, see if you're really secure. What these teams will do is they'll come together with a collection of skills, knowledge, and experience and they will like to verify that there are threats within your network environment. They have to verify that it tried to exist. We as business managers might introduce technology but cannot tell that technologies also have threats that could exploit the vulnerabilities that are inherent in those technologies. Penetration testing team would help review all the technology in use and identify possible threats that exist for every technology they use. They could be accessed controls, they could be physical controls, they could be logical controls that you put in place. Logical control involves things like; fire walls, passwords, encryption and other technologies like that. It is the duty of the penetration testing team to identify these threats. Now you will see that it is good practice you employ a team that is very professional, knowledgeable, otherwise they can't identify the threat. Now not using a team that is skilled enough might give you a false sense of security, you think you're secure meanwhile you are not really secure. They also need to bypass your security controls. To bypass the security controls they must find the security controls. By finding the security controls then they try to bypass it, if they can bypass it that is proof of concept that your security controls are not robust enough because when the malicious people show up they are also going to bypass these controls so you need to identify the controls ahead of time so that you can ensure that these controls are robust and cannot be bypassed. The penetration testers would also actively test your security controls. It is not just sufficient to check that the security controls are in place. The controls could be in place but they could be weak. The controls could be in place but they are not enforcing the objectives so the malicious persons, the penetration testers would actively test the security controls. If you say you have a firewall in place they push traffic to the firewall to see what is led through the firewall or what is blocked, compare that to the firewall rules to determine if the firewalls are really doing what they're supposed to do. They would identify the numerous security controls within the facility it could be physical access, logical access then test these controls. This type of testing is very intrusive, you are actually touching the controls, interacting with the controls. They also need to exploit vulnerabilities so that they're able to exploit the vulnerabilities mean they can identify the vulnerabilities. What is a vulnerability? A Vulnerability is the weakness or absence of a control. The weakness or absence of a control will be exploited by the penetration testers to show proof of concept that they can exploit it malicious persons can also exploit it. Now having done all this testing the penetration testers would then give suggestions as to how to remediate the problems that they found, how to remediate the controls that are missing or that are weak, how to fix access to the facility or even how to correct user behavior. All of these will be accessed by the penetration testers and recommendations are given to management as to how to remediate these issues. [/toggle_content]

Video Transcription

00:04
in this video with discussing section
00:06
3.8,
00:08
we have to explain the prop I use off penetration testing versus vulnerability scanning. We study section by discussing penetration testing
00:18
organization school by the most expensive firewalls,
00:21
the most expensive intrusion detection systems they could Hyah tickled employ the most expensive administrators. But does that really mean they are secure? No, really,
00:32
you could rent the most expensive facilities,
00:36
but
00:37
that does not really mean you are secure. How do we check for security? You employ penetration testers. These are teams off professionals certified in various areas off information security, physical access, logical access, cryptography, social engineering
00:56
on you know what our forms off
00:58
manipulations. You want this team toe, Test your environment, test your network,
01:03
see if you're really secure.
01:06
What this team's will do is they come together with a collection off skills, knowledge and experience on. They would like to verify that there are threats within your network environment.
01:21
They have to verify that the threat exists.
01:23
We, as business managers might introduce technology but cannot tell that technology is also have traits that
01:32
cooled exploit
01:34
the vulnerabilities that are inherent in those technologies.
01:38
So the
01:40
Patricia intestine team will help review all the technologies used on, identify possible threats that exists for every technology and use their could be access controls. There could be physical controls. There could be logical controls that you put in place. Logical controls involved things like firewalls,
01:57
passwords,
02:00
encryption and other technologies like that. So it is the duty of the penetration testing team toe. Identify these threats now you will see that it is good practice. You employ a team that is very professional, knowledgeable. Otherwise, they can't identify the threats now.
02:19
Not using a team that is skilled enough might give you a false sense of security.
02:23
You think you are secure. Meanwhile, you are not really secure,
02:28
so they also need to bypass your security controls. So to bypass the security controls, they must find the security controls. So by finding the security controls, then they try to bypass it if they come by passage. That is proof of concept that your security controls are not robust enough
02:46
because when the militias people show up,
02:50
they are also going to bypass these controls so you need toe, identify the controls ahead off time so that you can ensure that these controls are robust and cannot be bypassed.
03:00
The penetration testers would also actively test your security controls. It is not just sufficient to check that the security controls are in place. The controls could be in place, but there could be weak. The controls could be in place, but they're not enforcing the objectives. So the militias persons, the penetration testers ruled,
03:21
actively test the security controls. If you say you have a firewall in place there, push traffic through the firewall to see what is let through the firewall or what is blocked. Compare that to the
03:36
firewall rules to determine if the fire wants are really doing what they're supposed to do, so they would identify the numeral security controls within the facility. It could be physical access, logical access. Then test these controls. This type of testing is very intrusive. You are actually
03:54
touching
03:55
the controls, interacting with the controls.
03:59
They also need toe exploit vulnerabilities so that they're able to exploit the vulnerabilities mean they can identify the vulnerabilities. So what is a vulnerability? A vulnerability is the weakness or absence off control,
04:13
so the weakness or absence of control will be exploited by the penetration testers to show proof of concept that if they can exploit it, malicious persons can also exploited. Now, having done all this testing, the penetration testers will then give suggestions as to how to re meet it,
04:32
the problems that they found, how to immediate the controls that are missing, or that a week howto fix access to the facility or even howto correct, use our behavior.
04:45
All of these will be accessed by the penetration testers on recommendations are given to management as to how to re mediate this issue.

Up Next

Fundamental Vulnerability Management

Vulnerability Management is a continuous information security risk process that requires management oversight and includes a 4-tier approach of: discovery, reporting, prioritization, and response

Instructed By

Instructor Profile Image
John Oyeleke
Lead IT Security Instructor
Instructor