Penetration Testing vs. Vulnerability Assessment
Penetration testing, ethical hacking, or pen-testing as it is often called, is a much more active approach to identifying and even attempting to exploit vulnerabilities in a particular system, while a Vulnerability Assessment is an exercise in checking the security state of a system at a particular point in time or under a specific configuration.
In the world of IT security, there are two terms; Penetration Testing and Vulnerability Assessment which are oftentimes used synonymously but have quite different meanings and implications when applied in practice. Wikipedia defines Penetration Testing as: “an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.” It defines Vulnerability Assessment as: “the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.”
Penetration testing, ethical hacking, or pen-testing as it is often called, is a much more active approach to identifying and even attempting to exploit vulnerabilities in a particular system, while a Vulnerability Assessment is an exercise in checking the security state of a system at a particular point in time or under a specific configuration. While the main goal of a Pen Test is to produce a report of exploited vulnerabilities and to show evidence of the breaches, a Vulnerability Assessment is employed in order to identify risks and threats associated with identified vulnerabilities and to recommend the most efficient and cost-effective controls required to best mitigate those vulnerabilities.
The tools and the mindset needed to perform either of these are much the same, especially in the initial stages of either. In this article, we will explore the tools, techniques, processes, and procedures necessary to conduct either a successful Vulnerability Assessment or a Penetration Test on a variety of systems.
There are eight common processes used in conducting a formalized Pen Test:
- Planning – Defining project scope, sponsorship, logistics, etc.
- Reconnaissance – Passive/Active information gathering, social engineering
- Scanning – Deeper, more active information gathering on vulnerabilities/risks
- Gaining Access – Exploiting information/vulnerabilities gathered previously
- Maintaining Access – Pivoting to other targets, creating multiple access points
- Covering Tracks – Destroying evidence of exploits, system logs, etc.
- Analysis – Identifying vulnerabilities, making recommendations for correction
- Reporting – Official reporting to stakeholders/sponsors
Pen-Testing is most effective when conducted by a non-biased, third-party entity and should be performed according to the security profile of the specific organization or enterprise. While the findings of a formal Penetration Test is enlightening and illuminates vulnerabilities in an organization's security systems that would otherwise go unnoticed, most companies do not conduct “live, in-the-blind” Penetration Testing as a routine part of their overall security posture. The benefits of doing so, however, are wide-reaching and can be invaluable in assisting an organization in boosting and supporting the security profile all across the enterprise.
Some of the notable benefits of Pen Testing are:
- Identifying ROI of security systems
- Identifying the BIA of insecure systems
- Protecting the organization’s reputation
- Testing cyber-defense capabilities
- Supporting Risk Management
- Supporting Business Continuity and Disaster Recovery Planning
- Protecting stakeholders in the enterprise
There are several Penetration Testing standards or frameworks available. Some of these have been developed throughout the years by government bodies as part of national and international security and cybersecurity programs, and others have and are being produced by non-government, open source groups and crowd-sourced organizations. Most of the notable frameworks are support by public and private funding and are recognized throughout the cybersecurity arena worldwide.
Some of the most notable and recognized are:
- NIST SP 800-115 – Technical Guide to Information security Testing and Assessment. Developed by the National Institute of Standards and Technology. www.nist.gov
- OWASP – Software testing, Penetration Testing. Developed by the Open Web Application Security Project. www.owasp.org
- PTES – Penetration Testing Execution Standard Technical Guidelines. www.pentest-standard.org
There are several different approaches to performing Vulnerability Assessments as well as several different types of systems that can benefit from the implementation of a proper, regular Vulnerability Assessment methodology including; Information technology systems, energy generation and supply systems, transportation systems, public service supply systems, and communications systems to name a few.
As it relates to IT, there are typically two different types of Vulnerability Assessments performed with different goals in mind and with different levels of access into systems. The assessments are conducted using a variety of tools, typically software suites, designed to “scan” systems. According to the level of detail and access required we either perform a credentialed scan or a non-credentialed scan.
A credentialed scan is a deep-dive scan that is performed as if the scanning software were the systems administrator. The scanning tool has all the same access and permissions as the root user on the system and can scan into servers, databases, security appliance control setups, and configurations, as well as into directory systems. The credentialed scan can look deep into the operating system setup and configuration as well.
A non-credentialed scan is performed with the same access and permissions that a standard, non-admin user would access a system. A non-credentialed scan requires much less time, effort, and resources to conduct, but does not reveal the level of vulnerability that the credentialed scan would. It is generally recommended that a credentialed scan be performed no more than bi-annually and that it be scheduled well in advance so that it does not cause work stoppage. Non-credentialed scans may be performed much more frequently in that they can typically be run alongside regular work schedules with little effect on network bandwidth, systems resources, etc. Either of these scan types will produce information resources that are then analyzed and used to score the vulnerabilities uncovered by the scan.
The information gathered is compared to numerous vulnerability reporting systems and databases either locally or by way of API’s (Application Programming Interfaces) provided by the vulnerability clearinghouses. The resulting scan results are presented and scored according to how the vulnerability might affect the Confidentiality, Integrity, and Availability of systems.
Security practitioners would then go through the risk assessment process, prioritize the risks, and then determine the proper controls that are needed to best mitigate the risks and vulnerabilities.
The risk appetite of the organization is a major factor in selecting how a particular risk is addressed, as is the cost-benefit analysis that accompanies the risk assessment. If the cost of the control is far beyond the total loss the company might encounter if the vulnerability is exploited, the choice may very well be made to accept the risk and move on. This would be called high risk-tolerant.
Information security teams typically choose one of the following methods of risk management, according to the likelihood of the risk, the consequences of the risk, and the organization’s aforementioned risk appetite.
- Risk Mitigation – Choosing the most cost-effective control to lessen the likelihood and/or consequences of the risk.
- Risk Acceptance – Choosing to do nothing and accept the likelihood and consequences of the risk.
- Risk Transfer – Transferring the risk to a third party such as an insurance carrier or partner.
- Risk Elimination – The only way to eliminate the risk is the eliminate the cause. E.g. Not allow remote connection, close down a division, dissolve a partner relationship, etc.
Tools of the Trade
In both Penetration Testing as well as Vulnerability Assessments, there are very specific toolsets that are employed by security practitioners. Some of the tools are used in both environments as are many of the same methods. The tools are typically categorized as follows.
- Scanning tools
- Credential testing tools
- Open-source intelligence tools (OSINT)
- Debugging tools
- Software assurance tools
- Social engineering tools
- Wireless access tools
- Remote access tools
- Networking tools
In addition to these, there are collections of tools specifically fine-tuned to be used in both Penetration Testing and Vulnerability Assessments. Tools such as Wireshark, Hping3, and tcpdump; packet sniffing, protocol analyzer tools used to capture and analyze data packets as they traverse network connections. Web application and proxy tools such as Burp Suite, Nikto, and OWASP ZAP used to identify and exploit weaknesses in web servers and web applications. There are third-party, open-source tools, freely downloadable and extremely powerful, and there are commercial software products designed for enterprise-wide Penetrations Testing and Vulnerability Assessment.
There are also databases provided by largely crowd-sourced entities and available to the public at large for analyzing and assessing known threats and vulnerabilities. The Common Vulnerabilities and Exposures database houses a massive listing of cybersecurity vulnerabilities and is used in numerous cybersecurity products and services from all around the world. You can access it at: https://cve.mitre.org. There is also the CVE Details database with provides vulnerability details, exploits, references and a full listing of vulnerability reporting and trends which use the Common Vulnerability Scoring System(CVSS).
Penetrations Testing/Vulnerability Assessment Frameworks
Among the most powerful tools security practitioners have in their respective toolboxes are Testing Frameworks. These frameworks provide the ability for the practitioner to automate many of the functions required to regularly check for security bugs or vulnerabilities in computer networks and networking appliances, host machines, applications and web programs, and servers. Using these automated frameworks, security professionals can spend valuable time performing other tasks in that the regular checks performed via the frameworks don’t cost additional time, effort, nor resources.
While there are numerous commercial offerings, some of the most powerful and popular frameworks are open source products. Here is a listing of some of the most popular open-source, mostly crowd-sourced frameworks.
- Metasploit – The most popular open-source pen-testing and vulnerability assessment framework, Metasploit assists security professionals manage security projects of all types including Penetration Testing and Vulnerability Assessments. Metasploit is a command-line toolset that has been called “a hacker’s swiss army chainsaw” and comes with over 1000 pieces of exploit code, over 500 payloads ready to deploy, and is a cross-platform application that works equally as well on Windows, Linux and masOS systems.
- Nettacker – Nettacker is a framework created by the Open Web Application Security Project(OWASP) and was created to facilitate vulnerability scanning, information gathering of all types and specializes in payloads designed to bypass Firewalls, Intrusion detection/prevention systems and other network security devices. Nettacker is developed in the Python programming language and is a cross-platform toolset.
- Legion – Unlike most open-source frameworks, Legion provides a slick GUI or graphic user interface rather than being mostly dependent upon a detailed understanding of the command-line interface and the specific command syntax of the toolset. Legion is also written in the Python programming language meaning that it runs cross-platform on any operating system capable of running Python. i.e. Windows, Linux, and macOS.
As professional security practitioners, we should constantly be on the lookout for tools that can assist, and where applicable, automate the numerous tasks required by our job functions. We cannot, however, become complacent and too reliant on these automated tools. It is incumbent upon us to research, test, and re-educate ourselves as to the latest and greatest approaches to providing the best, most secure operating environment possible with the tools at our disposal. We must remember that the greatest, most valuable, and dependable tools in our enterprise is our user base. The most important tool we can arm the user with that will provide the most benefit to the user, ourselves, and the organization as a whole; is constant and consistent awareness, communication, and education.
Never forget that from a security perspective; A well-educated user is your most valuable asset.