During preparation to CISSP I got this question:
Determining patch levels, improper services, and improper configurations is an attribute of which of the following?
The answers could be
I would take penitent, because I got this independent information from a pentest, but it is the vulnerability scanning. I miss the database with known vulnerabilities which is used to test again the findings.
Do you have an explanation why it is vulnerability scan?
Thanks in advance
Vulnerability scanning is about identifying vulnerabilities/weaknesses (based on a vulnerability database). A penetration test attempts (based on a vulnerability scan) to exploit detected vulnerabilities.
Best, Thomas
Think of it this way. That pentest undoubtedly will contain a vulnerability scan but not the other way around. Why is it useful to make that distinction? It's a little more than semantics. A vulnerability scan/assessment just tells you what is vulnerable. It doesn't look to exploit it. So if you're contracting for services or are concerned about liability, the vulnerability scan can tell you a lot without going overboard. That said, we now see legal disclaimers, terms of use, and even regulations that prohibit scanning a network.
Arguably, there's also a slightly different objective. A vulnerability scan should be comprehensive - I want to throw a very wide net in terms of what's vulnerable. A pentest looks more to see what is exploitable. You can have a vulnerability that isn't exploitable (yet) or might not be a high-value target. Conversely, a pentest might focus on a high-value target, even one without a technical vulnerability. Example: using spearphishing against someone with administrative access.
Hi,
To my understanding, the attributes given in the question i.e. the patch level, improper services or improper configurations are more related to the identification of weaknesses of the current status in a system which can be identified by doing a vulnerability scan. It is not just against a known database, but it would also identify the weaknesses against the expected baselines - hence the improper services or configurations or patch levels. The vulnerability database could contain the list of exploits to an application or process behaviour at runtime but may not be suggestive for the baselines.
Penetration Testing, on the other hand, is more of an attempt to break through the application's runtime environment and gain access to data for manipulation / destruction.
The very purpose of the two activities differ.
Hope you find this useful.
I recall pulling my hair out (an expression, not literal) over a similar question on another exam.
I appreatiate the answers!
I will add....
If a manager was to ask for reports on patches levels and improper configurations it would be 100% overkill, poor value for money and a risk to start pentesting when an automated process can get you the answer and be much much quicker.
...but the answers above are from people better than me.
I hate these types of questions, it would have been "better" (IMO) to say "If the CEO wants to have regular reports on ....., which process would you employ".Maybe this is one of those questions when they are testing you with a business leader hat and not an IT hat. In fact with this in mind, maybe the question is fine as is.