CompTIA Security+ SYO-401

Certification Training
9224 Learners
View Course Now!
33 Chapters +

Explaining the Proper Use of Penetration Testing vs Vulnerability Scanning Tutorial

1 Explaining the Proper Use of Penetration Testing Versus Vulnerability Scanning

There are instances where your system and network security is at stake. Hence, to counter this, we have two different processes termed as vulnerability scanning and penetration testing. In this lesson, we will be applying these two different concepts to the world of computer networking in this lesson. The following screen explains the objectives covered in this lesson. After completing this lesson, you will be able to: • Identify the characteristics of penetration testing • Identify the characteristics of vulnerability testing • Distinguish between penetration and vulnerability testing • Compare and contrast different types of security testing methods

2 Penetration Testing and its Characteristics

In this topic, you will learn about penetration testing and its characteristics. A penetration test is performed by a specialized team of trained, ethical security specialists, instead of an internal security administrator. Here, the external team or tester acts as a hacker, but in an ethical way to employ common attack methods to bypass the security of the targeted system or application. If the penetration tester fails to breach the security through common exploits, the system passes the test. Else, the penetration tester reports the findings along with the solutions or suggestions to secure the system. Penetration testing, also known as ethical hacking, uses the same skills, techniques, and tools of real-world hackers as a strategy to test the deployed security controls. For simulating a real-life hack scenario, this type of testing is performed without the IT or security staff’s knowledge, and is scheduled as an ethical hacking event. This assesses the infrastructure performance and the response of personnel. A penetration occurs when an attack is successful, and an attacker breaks into the protected environment perimeter by accessing and reading few bits from your network. Penetration testing aims to identify such detectable loopholes before intruders act, and suggest countermeasures to improve security. Unlike a real attack, penetration testing involves an intrusion attempt until any vulnerability is discovered, after which it increases to prevent the subsequent damage. The first step in penetration testing is to identify what needs to be tested. This depends on threats looming over the network. For example, in the network of a private school, the most likely threat is a low-to-moderately skilled student. This determines the exact nature of a penetration test. Despite the threats, some steps are common in penetration testing, which include attempts to bypass security controls. Few automated tools are used along with manually written scripts, as real hackers often program their own attack scripts and tools as per the target. These automated tools of attack range from specialized vulnerability scanners to underground tools available on the Internet. Regularly scheduled penetration tests are ideal to judge the security controls and processes. They are also capable of exploiting areas having inadequate patches or settings. Penetration tests can take diverse forms such as hacking from outside, VPN attacks, simulating a disgruntled employee, and physical attacks. Most penetration testing strategies need high level of skillset and knowledge from the testers. Otherwise, it can lead to productivity losses, high expenses, and even lead to jail time. It is common to hire highly skilled and professional external consultants for penetration testing, as they are not privy to private components of the network design and security configuration. A penetration test is an active assessment where the tester tries to bypass the security controls and break into it. Following are some characteristics of penetration testing: • Verifying a threat exists • Bypassing security controls • Actively testing security controls • Exploiting vulnerabilities Before implementing a security control, it is critical to verify if an issue really exists. Because, it is pointless to defend against a threat not affecting the environment. Similarly, if a threat is unlikely, devising a solution or a countermeasure is certainly unjustifiable. Therefore, penetration testing confirms whether a real threat or vulnerability exists. The test performs exact actions of a hacker to exploit a targeted system. Depending upon the criticality of known threats and vulnerabilities, you can determine how to respond to them. The response can be implementing a countermeasure or minimizing the risk. A penetration test is also designed to bypass all types of existing security controls to attack the system. This is essential as hackers often aim to bypass these controls. An ethical hacker or tester attempts many of these techniques to reveal it to you instead of a malicious hacker. While methods and means of bypassing security controls vary significantly, a few common methods use an alternate pathway and overloading controls. For instance, instead of passing through a filtering firewall, a hacker will try to find an unauthorized wireless access point to bypass the firewall security. Similarly, a denial of service attack can be made to overload firewalls and intrusion detection systems for distracting them to trigger a real attack. At times, new exploits are injected for compromising security through exploitation of the faulty code. Thus, having control does not guarantee 100% security as it is possible to bypass it. For example, even an electronic lock with an access control can be bypassed by simply turning it off, triggering a short circuit, and overloading the sensors with false positives. A penetration test also finds unknown vulnerabilities and new flaws by testing the abilities of existing security infrastructure. A meticulous penetration test reveals whether the existing security controls are adequate or can be easily bypassed. If the security controls are inflexible to catch hold of ethical hackers, it is unlikely they will catch professional hackers.A penetration test discovers all possible system vulnerabilities and exploits them to a prefixed extent. However, it should not be performed to an extent of causing extended downtime or irreparable damage. The actual idea is to hack ethically and within the limitations imposed by the testing contract or Service Level Agreement or SLA. In case a test is likely to cause harm, it is essential for a specific preapproval before its implementation. Moreover, the target under testing should be ready with full backups and a recovery team. As a tester, it is critical to be wary of penetration testing as you are attacking a system, which is considered illegal, even if the goal is to make the system more secure. Therefore, you need proper authority through a legal document drafted by a lawyer, which is signed by the company owners or the higher management. Further, educate the higher management, who aren’t keen on penetration testing due to live attacks on production systems. Inform that such testing can crash systems and may inadvertently lead to denial of service attacks. Let’s now move on to vulnerability scanning. Since the concept is already covered in the previous lesson, we will look at its characteristics and considerations.

3 Characteristics and Considerations of Vulnerability Scanning

In this topic, you will learn the characteristics and considerations of vulnerability scanning. The purpose of a vulnerability scanner is to analyze the system configuration for finding the areas of improvement from a security standpoint. Vulnerability scanning allows identifying specific vulnerabilities in your network. Hence, penetration testers use it for identifying the likely targets to attack. Once identified, these vulnerabilities are exploited through penetration testing. There are four major tasks a vulnerability scanner can perform, which form its characteristics. These are: • Passively testing security controls, • Identifying vulnerability, • Identifying lack of security controls, and • Identifying common misconfigurations. Vulnerability scanners test the security controls without triggering any harm. This test is passive when an automated scanner is used. This is because such scans are don’t try to exploit the system under target. Most vulnerability scanners interpret the results of their findings and report them to the management. Automated scanners sense the security controls at the time of testing. Also, because the security controls run at the time of scan, they get a workout when the actual targets are under focus of the scan. Therefore, passive testing of these controls involves testing against the targets, but not particularly testing the security measures. Vulnerability scanners help identify the vulnerabilities. The goal of these tools is to identify weaknesses in the system. For instance, if a system is not updated with patches, it remains vulnerable. Similarly, knowing that a password is weak does not indicate criticality until you link it with the associated vulnerability. If you know the password is of an account manager with high privileges, then the vulnerability is identified by the scanners. If a weak password exists for a least-privileged account, it might not be a vulnerability. Vulnerability scanners not only scan weaknesses in security controls, but also look for areas that do not have adequate controls. With vulnerability assessment, you can determine whether there are any security controls to be used that are currently not used. For instance, you find that firewall is required to boost the security of a database server. Vulnerability scanners identify improper configurations of applications and services giving rise to different issues. These misconfigurations can lead to several security concerns such as to allow more unauthorized users to access a resource. For instance, you find the administrator account on a server has not been renamed, or an administrator is using a single account for both administrative and standard user tasks. Although such misconfigurations are non-threatening, they often lead to loss of sensitive data, service outages, and other issues.

4 Methods of Vulnerability Scanning

Let’s now look at some considerations while working with vulnerability scanning. As a security professional, you can perform vulnerability scanning either in a credentialed or a non-credentialed way. The difference is that a credentialed scan needs actual network credentials for scanning system vulnerabilities. However, you should scan as a non-credentialed or an unauthenticated user to know the information exposed to hackers. Then, you should scan by using an administrative account for gathering information about the system. You should be prepared to face and handle false positives regardless of credentialed or non-credentialed scan to identify vulnerabilities. A false positive happens when a vulnerability scan wrongly recognizes something as a vulnerability. Thus, an alert is triggered for a normal or harmless event. False positives lead to waste of time while examining non-malicious events. With the passage of time, repeated reporting of false negatives forces the security administrators to stop responding to such alarms. An intrusive scan tries to exploit weaknesses or flaws detected, while a non-intrusive scan simply discovers the symptoms of those weaknesses and flaws, but does not try to exploit them. Conventionally, a vulnerability scanner is non-intrusive, while a penetration test is intrusive. Let’s now compare penetration testing and vulnerability scanning. Penetration testing is an active assessment, while vulnerability scanning is passive. Penetration testing gives you a real view of real hackers, whereas vulnerability scanning gives only a possibility view of security breach. Exploits are possible in case of penetration testing but not in vulnerability scanning. There are no false positives in penetration testing, but they exist in vulnerability scanning. The tools used in penetration testing include automated scanners, exploit tools, and proprietary tools. However, vulnerability scanning uses only automated scanners. Security administrators use automated scanners to check for known issues and policy compliance, while penetration testing discovers new weaknesses not found by automated scanners. Penetration testing is highly flexible to client needs as compared to vulnerability scanning. Penetration test is performed once a year, but is costlier than the frequently performed vulnerability scanning, especially when a new equipment is launched or changes made to an existing system.

5 Types of Testing

In this topic, you will learn the different types of testing. For security testing, it is vital to understand and implement three different types of testing. They are black box, white box, and gray box testing. Let’s start with black box testing. You would have used a torch during power cuts to work in dark. You can simply use the torch without knowing about how it works and its internal components. Similarly in black box testing, you are not aware of the internal structure of the code, or makeup mechanism of an application or device under a test. A black box is literally a tool, application, or device whose internal machinery, makeup, and processing functions are not known. However, you can observe and analyze its output in response to different inputs. Therefore, black box penetration testing takes place without knowing how an organization is structured, its security policies, what hardware and software are in use, and what are its business processes and procedures. This testing assesses a device, tool, or program from an end-user’s perspective, by testing several input scenarios and their corresponding outputs. Hence, such testers do not have access to the internal code, and they function like external hackers to discover the required information on their own, and then simulate the attacks. The goal of black box testing is to allow testing without giving information about the organization or its network, and find out the possible input errors such as illegal values and the expected inputs. Usually, the final acceptance testing before system delivery is an example of black box testing. A white box refers to an application or device whose internal processes as well as structures are recognized and understood. For penetration testing, white box testing utilizes the knowledge about the organization’s structure, security policies, types of hardware and software in use, and internal processes. Such testing aims to exploit everything that is recognized and identified. Usually, white box testing assesses the internal logical structures of an application through the code for identifying potential errors. Due to sufficient knowledge of the company’s assets and network configuration, this kind of testing simulates an attack from an insider, like a disgruntled employee. The goal is to check if the network or systems can be compromised or not. Although, white box testing is quicker than black box testing, it doesn’t assure to discover organization information faster. Gray box testing implements the approach of both black box and white box methods for software validation. A tester assesses the software from a user’s perspective, and accesses the source code to design the test. However, the tester does not analyze the inner processes of the application or system at the time of testing. Moreover, the knowledge of the target system is actually limited. For instance, the tester might know the IP addresses of systems on network, and uses them to figure out what is running on those systems to simulate an attack.

6 Difference between Black, White, and Gray Box Testing

Let’s find out the differences between black, white, and gray box testing. The black box testing does not require you to have knowledge of the internal working and structure of the target resource, while the white box testing involves full knowledge of the target resource. In case of gray box testing, some knowledge of the internal working and structure is known. While black box testing is known as functional or data-driven testing, white box testing is called code-based or structural testing. Gray box testing is called translucent testing due to limited knowledge of the internal structure. End users, testers, and developers perform both gray and black box testing, while only testers and developers perform white box testing. Black box testing is based on the user’s expectations regarding the internal working of the application or system. White box testing is based on the knowledge about internal working of the system for designing test cases. Gray box testing is performed based on data flow diagrams and high-level database diagrams. Black box testing is the least time consuming as well as exhaustive, while white box testing is the most time consuming and exhaustive. This is because each line of code needs to be tested for validation. Gray box testing is partly exhaustive and time consuming. White and black box testing approaches are unsuitable for algorithm testing, but gray box testing is suitable. Data domains and internal boundaries are best tested with white box testing, while black box testing is like a trial and error method. Gray box testing also can test data domains and internal boundaries if the relevant data is fully known.

8 Summary

Let’s summarize the topics covered in this lesson. • Penetration test is an active test because the tester literally exploits the system to bypass the security controls like a hacker. • Drafting and signing a legal document by parties giving the required permission to perform a penetration test is essential. • Vulnerability scan is a passive test wherein weaknesses and the lack of security controls are identified, existing controls are tested passively, and common misconfigurations in the system are pointed out. • Black box testing involves assessing without any information about the business environment, while white box testing involves assessing with the knowledge of the business environment. • Gray box testing is a mix of both white and black box testing approaches. With this we conclude this lesson, ‘Explaining the Proper Use of Penetration Testing Versus Vulnerability Scanning.’ The next lesson is, ‘Explaining the Importance of Application Security Controls and Techniques.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*