1.1 Vulnerability Assessment vs.

Penetration Testing
 Corporations and individuals need to understand how the damage is being done so they
understand how to stop it.
 Corporations also need to understand the extent of the threat that a vulnerability
represents.
 The vast amount of functionality that is provided by an organization’s networking,
database, and desktop software can be used against them.
 Within each and every organization, there is the all-too-familiar battle of functionality vs.
security.
 This is the reason that, in most environments, the security officer is not the most well-
liked individual in the company.
o Security officers are in charge of ensuring the overall security of the environment,
which usually means reducing or shutting off many functionalities that users love.
o They are responsible for the balance between functionality and security within the
company, and it is a hard job.
 The ethical hacker’s job is to find these things running on systems and networks, and he
needs to have the skill set to know how an enemy would use these things against the
organization.
 This work is referred to as a penetration test, which is different from a vulnerability
assessment.

1.1.1 Vulnerability Assessment

 A vulnerability assessment is usually carried out by a network scanner on steroids.
 Some type of automated scanning product is used to probe the ports and services on a
range of IP addresses.
 Most of these products can also test for the type of operating system and application
software running and the versions, patch levels, user accounts, and services that are also
running.
 These findings are matched up with correlating vulnerabilities in the product’s database.
 The end result is a large pile of reports that provides a list of each system’s vulnerabilities
and corresponding countermeasures to mitigate the associated risks.
 Basically, the tool states,
o “Here is a list of your vulnerabilities and here is a list of things you need to do
to fix them.”
 The problem with just depending upon this large pile of printouts is that it was generated
by an automated tool that has a hard time putting its findings into the proper context of
the given environment.
 For example,
o Several of these tools provide an alert of “High” for vulnerabilities that do not
have a highly probable threat associated with them.
 o The tools also cannot understand how a small, seemingly insignificant,
vulnerability can be used in a large orchestrated attack.
 Vulnerability assessments are great for identifying the foundational security issues within
an environment, but many times, it takes an ethical hacker to really test and qualify the
level of risk specific vulnerabilities pose.
