How to Do Penetration Testing, Vulnerability Scanning
Quick definition of a vulnerability scan: A vulnerability scan is a passive inspection of a computer network or system. Vulnerability scans search for opportunities a hostile actor could exploit to gain unauthorized access or do damage. A vulnerability scan evaluates the security of the system and identifies potential avenues of attack for full intrusion into the system.
Quick definition of a penetration test: A penetration test, also known as a "pen test", is an active cyberattack that discovers and takes advantage of vulnerabilities. A penetration test goes further than exposing and revealing vulnerabilities, it actively takes advantage of them and can result in outages on the target network to demonstrate the extent of the vulnerability or to test countermeasures.
An Overview of Vulnerability vs Pen Testing [VIDEO]
In this video, Keith Barker covers the difference between penetration testing and vulnerability scanning. Understanding the nature of risk, how it impacts security evaluation, and the pros and cons of active and passive testing all play a role. It's crucial for systems administrators to have an accurate grasp of how each of these pieces fit together.
Why Would Anyone Do Penetration Testing or Vulnerability Scanning?
Penetration testing and vulnerability scanning can identify risks to a network and help to reduce the threat of hostile actors. Many companies hire consultants or train their personnel to perform penetration tests and vulnerability scans because the upfront cost of the tests is far lower than what it would cost to be the victim of a cyberattack.
In the world of information security, just like in business, the aim is to avoid risk. To understand vulnerability scanning and penetration testing, we should understand what risk is. And to understand risk, we should look at what a vulnerability is.
To understand vulnerability, imagine a raw egg. The egg's vulnerability is its fairly fragile shell. And then I'd like you to imagine a 100-pound weight, hanging by a rope over the egg. Under the egg, we have concrete.
Now, this 100 pound weight — dangling by a rope — should be considered a threat. If we were to cut the rope that's holding that weight up, the weight would fall. In other words, the threat would be activated. You can probably imagine what would happen after that. Gravity would do its work and when the weight came in contact with the shell, which, remember, is our vulnerability — we would experience a loss.
And that's really what risk is all about. Risk is the potential for a threat to compromise, take advantage of, or exploit a vulnerability, which would result in some sort of loss. Risk is the measurement of the likelihood of that weight actually falling and destroying the egg.
In information security, we want to mitigate or lessen the effectiveness of a threat against our vulnerabilities. Typically what we'll do to that end is implement countermeasures. Countermeasures don't get rid of the threat, they just reduce the likelihood of that threat being effective against our vulnerability.
In our egg example, maybe an effective countermeasure would be that we build a solid steel table covering the egg. Then, if the weight falls, it'll hit the table. If the table is built and implemented securely enough, the egg and its fragile shell won't be damaged.
If we carry the analogy just a little bit further, we can say that penetration testing and vulnerability scanning are how we detect the weight and realize it poses a threat to our egg's shell. The cost of the penetration testing and vulnerability scanning are miniscule compared to what it would cost to clean up the egg if that weight were ever to fall, which is why they're such wise investments.
What Do Penetration Tests and Vulnerability Scans Accomplish?
Penetration tests and vulnerability scans help identify explicit weak spots in an organization's network and systems security. This includes weak points like system misconfigurations, open ports, the inability of a system to expel a hacker, and more.
One of the secrets of building a fortress of security to protect our information systems is first of all to identify what our vulnerabilities are.
We could have misconfigurations that are allowing access without any controls in place. For example, most systems have a technical control that requires any user to log in before they get access to the system. If that control was misconfigured, anyone could connect, get in, and view or manipulate data. That's one sort of vulnerability a vulnerability scan would reveal.
Another would be if there were ports on end user machines that were open like TCP port 80, which would imply that there's a web service waiting and listening on that device. That would be, in most cases, a vulnerability — a vulnerability that an attacker could leverage to get access to the system.
What Are the Different Types of Vulnerability Scan?
Vulnerability scans perform credentialed and non-credentialed scans to detect weak points in an organization's security posture. The difference between these is like inspecting the defenses around a castle from the outside looking for cracks in the wall versus inspecting the defenses from the inside while dressed in the uniform of the defending army.
A credentialed scan allows the device running the vulnerability scan to actually connect to devices on the network. Logging in and doing a credentialed vulnerability scan gives the administrator more opportunity to be accurate in what the scan finds as well as find out additional information. A credentialed scan gives more information about the ports than a simple scan for open ports by themselves would reveal.
And if we didn't have the credentials to log in, that would be a non-credentialed vulnerability scan. Both types of scan have value because the goal of the game is to discover what vulnerabilities exist on your systems. Sometimes being on the inside of the castle walls will show you a weakness in where your troops are positioned, but sometimes being on the outside reveals a hole in the wall that no one on the inside even knows about.
One of the key elements of vulnerability scanning is that whether it's credentialed or non-credentialed, it is passive. A vulnerability scan is not going to be injecting malicious software. It's not going to be bringing a server down when it finds a vulnerability. It's simply a passive, non-aggressive manner of discovering vulnerabilities on a system.
If Vulnerability Scans are Passive, Can They Be Done to Anyone?
No! Just because a vulnerability scan is passive doesn't mean that we're allowed to do scanning of any network that we happen to be on. You must be sure that you have proper authorization on any system you do vulnerability scanning on.
In a corporate environment, an unauthorized device doing a vulnerability scan would be considered aggressive and would very likely be against corporate policy. A vulnerability scan is passive, but it's not invisible. The pokes and probes can be detected, and you wouldn't want to unnecessarily startle anyone.
What's the Difference Between Vulnerability Scans and Penetration Tests?
Now, while vulnerability scanning is considered passive in nature and not doing any damage to the network or system, there's something on the opposite side of the scale: penetration testing. A penetration test is intended to do harm. Penetration testing involves active attacks.
Companies regularly hire cybersecurity experts to be a part of penetration testing teams. Such a team might start off with some warm-up exercises like vulnerability scanning to find out what vulnerabilities may exist. But after passively detecting those vulnerabilities, the team will break out the penetration testing tools, and these go a step further. Penetration testing tools have the potential to actually compromise the system — and maybe take down a server or install malicious software on that server, or get unauthorized access to an internal system.
Can Pen Testing Actively Disrupt a Network?
One of the reasons a company might consider doing penetration testing is they want to actually verify whether or not their security controls can be bypassed. And if they can be, they want to find out what the extent of that damage could be before the real attackers start taking advantage of their systems.
A vulnerability scan merely reveals vulnerabilities. Maybe after doing such a scan, countermeasures are put into place that hypothetically should prevent attacks and mitigate risk. For many companies, knowing that the countermeasures should be effective isn't enough.
If we go back to our egg and weight example, just knowing that the table has been built might not be enough. Maybe we should drop a 10 pound weight on it. What if we drop a 50 pound weight on it? Maybe dropping a 100 pound weight on it will show us if our table was built well enough to repel an attack.
Following up a vulnerability scan with a penetration test can actively test the safety and security controls. Whether the penetration test passes or fails shows whether those controls really are secure. Showing that an outside user could gain control of a server can demonstrate the seriousness and scope of the problem without actually losing control of that server.
If vulnerability scans and penetration tests are something that you're interested in, CBT Nuggets offers many courses in the tools of that trade. CompTIA Sec+, CISSP, and Penetration Testing with Linux Tools (including Backtrack and Kali Linux) are just a few of the courses you should take about if you're interested in becoming a penetration tester.