Scribd Logo
Upload

Welcome to Scribd!

  • Vulnerability Assessment & Penetration Testing: By: Michael Lassiter JR

    Uploaded by

    Proftech Specialist
    9 views9 pages

    Original Title

    Vulnerabilities-vs-Penetration-Testing.pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views9 pages

    Vulnerability Assessment & Penetration Testing: By: Michael Lassiter JR

    Uploaded by

    Proftech Specialist

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    Vulnerability

    Assessment &
    Penetration Testing
    By: Michael Lassiter Jr. (@EthicalMJPen)

    Vulnerability Assessment
    Vulnerability Assessment:
    Is the assessment of a system to determine if it has vulnerabilities or
    weaknesses that need to be resolved or patched.
    Is also known as a security audit.
    Can be performed by one person or a team of vulnerability researchers or
    security engineers.
    Is often known as a flaw or weakness that could be exploited by an outside
    attacker or compromised by internal personnel.
    Is necessary because many organizations, companies, and health facilities are
    required to meet certain compliance.
    HIPPA regulations are important so that health facilities hire the services
    of pen testers in order to meet compliance with vulnerability assessment
    being a great portion of the service.

    VULNERABILITY ASSESSMENT & PEN TESTING

    Vulnerability Assessment Tools

    Nessus is on of the most popular vulnerability scanning tools. It is a commercial


    product and many companies often desire an individual that is skilled with it.
    OpenVas, which is the older open-source version of Nessus, is still available. It
    comes pre-packaged with Linux distributions such as Kali Linux.
    Nexpose The vulnerability scanner, which is by Rapid 7, is available and
    highly capable of scanning a system for vulnerabilities with accuracy.
    There are plenty of open-source tools available, so I suggest that you take
    time to try them in your virtual lab.
    Do not choose an active target under any circumstances without
    authorization. Always obey the law!

    VULNERABILITY ASSESSMENT & PEN TESTING

    Vulnerability Assessment Key Points

    Vulnerability Assessments do not involve any steps to fix or apply patches to a


    system.
    The objective of a vulnerability assessment is to determine the vulnerabilities
    and report them to the client.
    The assessment must be requested and authorized by the client prior to the
    performance of the assessment.
    The laws and permission of the client are in place to protect the client and
    security engineer form liabilities and legal backlash.

    VULNERABILITY ASSESSMENT & PEN TESTING

    Penetration Testing

    Penetration Testing includes the actual exploitation of the vulnerabilities that


    are discovered during the phases of the vulnerability assessment.
    It includes vulnerability assessment; however, vulnerability assessment does
    not include penetration testing.
    Rules of engagement (ROE) are signed and understood by both parties before
    the beginning of a penetration test. The ROE limits the penetration testers from
    touching targets that are not permitted by the client.

    VULNERABILITY ASSESSMENT & PEN TESTING

    Penetration Testing Black Box, Gray Box, and White Box Testing

    Penetration testing usually falls under three categories: Black Box, Gray Box,
    and White Box.
    Black Box does not include any knowledge of the structure of the system, so
    this type of testing simulates the approach of an outside attacker.
    Gray Box includes only a limited knowledge of the layout of the target.
    White Box testing occurs when a penetration tester has complete
    knowledge of the layout of the target(s).

    VULNERABILITY ASSESSMENT & PEN TESTING

    Penetration Testing Personal Experiences

    My personal experience in pen testing is primarily from a black box testing


    perspective. Black box testing will surely test your knowledge and training in
    penetration testing.
    If the penetration test requires a team, the success of the it is heavily dependent
    on the cohesion of the team. A strength in one can balance the weakness in
    another.
    Penetration testing is not about ramming a tool into the most fortified part of a
    system, but using it to exploit the overlooked weaknesses.
    During a pen test, my team had to request permission to touch additional
    system that were found. We then received permission. The rules of
    engagement are in place for a reason.

    VULNERABILITY ASSESSMENT & PEN TESTING

    Conclusion

    The key difference between vulnerability assessment and penetration testing is


    the lack of exploitation in vulnerability assessment and the actual exploitation
    in penetration testing.
    Permission must be granted to carry out either or both of these operations.
    Obey the cybercrime laws and regulations at all times.
    There are many available tools, yet one should not simply rely on only one tool
    to fit every situation.
    To gain further experience and training; research OWASP, create virtual labs,
    and complete the training on Cybrary.

    VULNERABILITY ASSESSMENT & PEN TESTING

    A special thank you to Michael Lassiter for his


    submissions to Cybrary.
    We appreciate every
    member and hope that you enjoy expanding your
    knowledge through the training and resources
    provided.
    Thank you for your continued support!
    - Cybrary Staff

    VULNERABILITY ASSESSMENT & PEN TESTING

    You might also like