pace-it, security+3.8: vulnerability scanning vs pen testing

Vulnerability scanning vs. penetration testing.

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certification PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.


– Vulnerability scanning and penetration testing.

– Levels of testing.

PACE-IT.

Vulnerability scanning and penetration testing.Vulnerability scanning vs. penetration testing.

Vulnerability scanning and penetration testing.

Vulnerability scanning is usually conducted using specialized applications in an effort to find weaknesses in a network.

It is usually conducted using protocol analyzers (also called packet sniffers) and port scanners. These applications can be used to determine which protocols and services are being used on a network. Protocol analyzers can also be used to determine which ports are open on a network. This information can be used by security experts to help harden the network against attack.Vulnerability scanning does not attempt to exploit any weaknesses that are found. It only identifies them for the security personnel.



– Vulnerability scanning.» The purpose is to assess the configuration of systems

and networks to determine what can be done to increase the level of security.

• This is done passively by collecting information and reporting on the information collected in a non-intrusive manner.

» The scan can help to identify different issues.• Lack of security controls.• Common misconfigurations (in applications and

devices).• Other vulnerabilities.

» Two different types of vulnerability scans should be conducted.

• As an authorized user—a credentialed scan should be conducted from an administrative account.

• As an unauthorized user—a noncredentialed scan should be conducted to determine what an unauthorized user may find out about the system.

» A false positive may be reported by vulnerability scans.

• Something reported as a vulnerability that isn’t actually one.



Penetration testing (or pen testing) is actively seeking to find vulnerabilities in networks and systems that can be exploited.

Once a weakness is found, the pen tester then attempts to exploit the vulnerability. Many organizations use pen testing as a means of increasing the security of their organizations; however, hackers also use pen testing as a means of finding networks and systems that they can exploit.As a result, every security expert must be sure to receive explicit authorization to perform pen testing before beginning the test. If such authorization is not obtained, a security expert could face dire consequences. Unauthorized pen testing is, in actuality, illegal—as it is a form of hacking.



– Penetration testing (pen testing).» The purpose is to assess the security of a system or

network by actually using the same methods that a hacker would use to breach security.

» The test can be used to verify that a threat exists.• Can also confirm that the threat doesn’t exist.

» The test seeks to actively test and bypass any security controls that may be present.

» It is designed to exploit any vulnerabilities that may be present on the system or network.

» Unauthorized pen testing may lead to legal issues.


Levels of testing.Vulnerability scanning vs. penetration testing.

Levels of testing.

It is vital that, when security tests are conducted on systems and networks, the testing be conducted at a variety of levels.

The first level of security testing should be done at the white box level. White box testing is when the person conducting the test has the exact details of the system or network; the tester has intimate knowledge of what is present and how it is configured.The next level of security testing is done at the gray box level. With gray box testing, the tester has an intermediate knowledge of the how the system or network is configured.The final level of security testing is done at the black box level. With black box testing, the tester (usually a security expert) is given no prior knowledge of the configuration or what is present.


What was covered.Vulnerability scanning vs. penetration testing.

Vulnerability scanning is the passive collection of information on the configuration of systems and networks in an effort to determine how security might be improved. Penetration testing is using attack methods in an effort to breach security. The information gathered from pen testing is used to increase the security of systems and networks. The pen tester must have explicit permission to perform the testing, because without the permission it is actually an illegal action.

Topic


Summary

To ensure a thorough assessment of security, testing should be conducted at different levels. The levels of testing should include: white box testing—the tester has intimate knowledge of the system or network, gray box testing—the tester has an intermediate knowledge of the system or network, and black box testing—the tester has no knowledge of the system or network.

Levels of testing.

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.