SY0-501 Section 3.8 Explain the proper use of penetration testing versus vulnerability scanning.

Penetration testing

It is becoming more common for companies to hire penetration testers to test their system’s defenses. Essentially, a penetration tester will use the same techniques a hacker would use to find any flaws in your system’s security.

Hacking and penetration testing are areas that seem quite exciting to many people. Unfortunately, this has led to a number of unqualified (or at least underqualified) people calling themselves penetration testers. It is imperative when hiring a penetration tester that you ensure the person in question has the requisite skill set. Check their references and verify their training and skills. It is also important to do a thorough background check on the person in question, as you are giving this person permission to try hacking techniques on your network. You will want to be certain that they conduct themselves in an ethical manner

Vulnerability scanning

Many security experts view vulnerability scanning as separate from penetration testing. However, it should be either part of the penetration test or done alongside it. Vulnerability scanning allows you to identify specific vulnerabilities in your network, and most penetration testers will start with this procedure so that they can identify likely targets to attack. A penetration test is essentially an attempt to exploit these vulnerabilities.

Once you have identified the vulnerabilities, it is time to attempt to exploit them. Of course the most egregious vulnerability is any aspect of your system where vulnerability scanning reveals a lack of security controls. Some of the more common vulnerabilities involve misconfiguration.

Passively Testing Security Controls

The vulnerability scanner can test the security controls without doing any actual harm. It looks only for the openings that are there and reports them back to you. As such, its testing is considered to be passive as opposed to active.

Interpreting Results

Most of the vulnerability scanning programs, and the commercial ones in particular, interpret the results of their findings and deliver a report that can be shared with management.

Identifying Vulnerability

Just knowing that the port is open means little unless you can associate it with the vulnerability tied to it. For example, port 23 being open is a problem since it is commonly associated with Telnet.

Identifying Lack of Security

Controls Looking for weaknesses in security controls is well and good, but just as important is identifying areas where there are no controls in place. You want to know not just what is weak, but also what is missing altogether.

Identifying Common Misconfigurations

All too often, problems are introduced when perfectly good applications and services are improperly configured. Those misconfigurations can allow more users than should be permitted to access an application, cause the application to crash, or introduce any of a number of other security concerns.

Credentialed vs. non-credentialed

Vulnerability scanning can be done either in a credentialed or non-credentialed manner. The difference is that a credentialed vulnerability scan uses actual network credentials toconnect to systems and scan for vulnerabilities. Tenable Security, the creators of the Nessus vulnerability scanner, have this to say about credentialed scanning: This type of scan has several benefits:

– Not disrupting operations or consuming too many resources Because the scan is performed with credentials, operations are executed on the host itself rather than across the network. Running commands on the host, then sending the results of those commands back to the Nessus server do everything from operating system identification to port scanning. This allows Nessus to consume far less system and network resources than performing a traditional network scan that probes ports and services remotely.

– Definitive list of missing patches Rather than probe a service remotely and attempt to find vulnerability, Nessus will query the local host to see if a patch for a given vulnerability has been applied. This type of query is far more accurate (and safer) than running a remote check.  Client-side software vulnerabilities are uncovered By looking at the soft- ware installed and its version, Nessus will find client-side software vulnerabilities that are otherwise missed in a traditional network-based audit.

– Several other “vulnerabilities” Nessus can read password policies, obtain a list of USB devices, check anti-virus software configurations and even enumerate Bluetooth devices attached to scanned hosts.

Whether you use credentialed or non-credentialed vulnerability scanning be prepared for false positives. A false positive occurs when the scan mistakenly identifies something as a vulnerability when it is not. No software program is perfect, and this means that any vulnerability scanner will yield some occasional false positives.

False positive

False positives are events that aren’t really incidents. Event flagging is often based on established rules of acceptance (deviations from which are known as anomalies) and things such as attack signatures. If the rules aren’t set up properly, normal traffic may set off an analyzer and generate an event. You don’t want to declare an emergency unless you’re sure that you have one. The opposite of a false positive is a false negative. With a false negative, you are not alerted to a situation when you should be alerted. In this case, you miss something crucial and it slips right by.

Black Box

The tester has absolutely no knowledge of the system and is functioning in the same manner as an outside attacker.

White Box

The tester has significant knowledge of your system. This simulates an attack from an insider—a rogue employee.

Gray Box

This is a middle ground between the first two types of testing. In gray box testing, the tester has some limited knowledge of the target system.

In addition to classifying a penetration test based on the amount of informationgiven to the tester, it is also possible to classify the test as intrusive versus nonintrusive. Nonintrusive tests involve passively testing security controls—performing vulnerability scans, probing for weaknesses, but not exploiting them. Intrusive tests involve actually trying to break into the network. In the strictest sense, passive tests are really just vulnerability scans and not penetration tests, while active tests provide more meaningful results. With active tests, it is possible that they may disrupt business operations in the same way as a real attack.