topic Different Vulnerability scan and pertest in CISSP Study Group

Different Vulnerability scan and pertest

OliLue — Mon, 09 Oct 2023 10:41:58 GMT

During preparation to CISSP I got this question:

Determining patch levels, improper services, and improper configurations is an attribute of which of the following?

The answers could be

Risk assessing
Vulnerability scanning
Penetration testing
Business impact analysis

I would take penitent, because I got this independent information from a pentest, but it is the vulnerability scanning. I miss the database with known vulnerabilities which is used to test again the findings.

Do you have an explanation why it is vulnerability scan?

Thanks in advance

Re: Different Vulnerability scan and pertest

Early_Adopter — Tue, 15 Aug 2023 01:58:22 GMT

This is Vulnerability scanning as it looks for all issues that could be exploited on a system or network. There are many possible issues but it covers all of them and provides a report on patch, version, mis-configuration, non- supported components, license issues etc. A vulnerability scan seeks to enumerate issues but never to actually exploit then - pen testers are always trying to get root on a box or system without being caught under the terms of their contract with customer. So in short VS wide BAU process to see what you need to fix, whilst pen testing is basically having an ethical hacker attack your systems in a controlled way and seeing if they can breach your security.

Re: Different Vulnerability scan and pertest

neeff — Tue, 15 Aug 2023 09:58:40 GMT

Vulnerability scanning is about identifying vulnerabilities/weaknesses (based on a vulnerability database). A penetration test attempts (based on a vulnerability scan) to exploit detected vulnerabilities.

Best, Thomas

Re: Different Vulnerability scan and pertest

JoePete — Tue, 15 Aug 2023 12:50:36 GMT

Think of it this way. That pentest undoubtedly will contain a vulnerability scan but not the other way around. Why is it useful to make that distinction? It's a little more than semantics. A vulnerability scan/assessment just tells you what is vulnerable. It doesn't look to exploit it. So if you're contracting for services or are concerned about liability, the vulnerability scan can tell you a lot without going overboard. That said, we now see legal disclaimers, terms of use, and even regulations that prohibit scanning a network.

Arguably, there's also a slightly different objective. A vulnerability scan should be comprehensive - I want to throw a very wide net in terms of what's vulnerable. A pentest looks more to see what is exploitable. You can have a vulnerability that isn't exploitable (yet) or might not be a high-value target. Conversely, a pentest might focus on a high-value target, even one without a technical vulnerability. Example: using spearphishing against someone with administrative access.

Re: Different Vulnerability scan and pertest

OliLue — Tue, 15 Aug 2023 16:30:24 GMT

Thanks, I understand the point of view and understand the answer

Re: Different Vulnerability scan and pertest

OliLue — Tue, 15 Aug 2023 16:30:55 GMT

Great. I understand the point

Re: Different Vulnerability scan and pertest

SanjeevK — Tue, 15 Aug 2023 18:27:16 GMT

Hi,

To my understanding, the attributes given in the question i.e. the patch level, improper services or improper configurations are more related to the identification of weaknesses of the current status in a system which can be identified by doing a vulnerability scan. It is not just against a known database, but it would also identify the weaknesses against the expected baselines - hence the improper services or configurations or patch levels. The vulnerability database could contain the list of exploits to an application or process behaviour at runtime but may not be suggestive for the baselines.

Penetration Testing, on the other hand, is more of an attempt to break through the application's runtime environment and gain access to data for manipulation / destruction.

The very purpose of the two activities differ.

Hope you find this useful.

Re: Different Vulnerability scan and pertest

JohnEricsson — Tue, 31 Oct 2023 17:34:30 GMT

I recall pulling my hair out (an expression, not literal) over a similar question on another exam.

I appreatiate the answers!

I will add....

If a manager was to ask for reports on patches levels and improper configurations it would be 100% overkill, poor value for money and a risk to start pentesting when an automated process can get you the answer and be much much quicker.

...but the answers above are from people better than me.

I hate these types of questions, it would have been "better" (IMO) to say "If the CEO wants to have regular reports on ....., which process would you employ".Maybe this is one of those questions when they are testing you with a business leader hat and not an IT hat. In fact with this in mind, maybe the question is fine as is.

Re: Different Vulnerability scan and pertest

Early_Adopter — Wed, 01 Nov 2023 01:46:22 GMT

@johnErricson yeah the CEO should delegate that to the CISO, and the CISO should build the team that runs the tooling, and send the reports to the application/infra owners who should then train the vendors, developers and admins to keep the CVEs down.

The CISO should also run the purple-team boss and these guys should do normal validation and you can mix it up with externals because they tell you things your culture teaches you to miss.

Feed all of these into your review, and quantify as much as you can for the CEO but unless he, she or they happened to have done the job they won’t grok it all that well.