Vulnerability Assessment and Penetration Test
When preparing for the CompTIA Security+ exam (and other security exams such as SSCP and CISSP), it’s important to understand the differences between a vulnerability assessment and penetration test.
Risk is the likelihood that a threat can exploit a vulnerability resulting in a loss. A risk management program includes vulnerability assessments to discover vulnerabilities. A vulnerability is simply a weakness in the system, such as default or weak passwords, or an unmanaged service. If an attacker can exploit the vulnerability, it results in a loss.
Some common tools used for vulnerability assessments include Nmap and Nessus. Nmap can provide reconnaissance to determine the systems that exist on a network. It uses a sniffer component to capture and analyze packets to discover the operating system of the discovered systems, and can often identify the names and versions of services and whether a firewall is being used. Nessus probes individual systems deeper and can discover weak and blank passwords, unpatched systems, and more. It sometimes used audit systems determine if they are in compliance with specific security policies. Nessus also has the ability to discover information on open ports and running services, which validates the findings of Nmap and sometimes provides additional information.
A vulnerability assessment is the most effective method for security professionals to identify weaknesses in systems and networks. The vulnerability assessment is passive and does not cause damage to a system. It’s important to address any vulnerabilities discovered through a vulnerability assessment. Attackers have access to the same tools and if you can discover the weakness, they can too.
In contrast, a penetration test (sometimes called a pentest) starts with a vulnerability assessment and follows up with an attempt to exploit the vulnerability. A penetration test can be intrusive and actually cause damage so it’s important to be cautious when performing a penetration test. If the penetration attempt can cause system damage, it’s better to simulate the attack, or attempt the exploit against a test system.
The key points to remember are:
- A vulnerability test discovers weaknesses and is passive or non-intrusive.
- A penetration test starts with a vulnerability test and attempts to exploit discovered vulnerabilities.
- A penetration test is intrusive and can cause damage if the tester isn’t cautious.
- You should always obtain permission before performing a penetration test.
Here are some links to more resources to help you pass the Security+ exam the first time you take it.