cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
OliLue
Newcomer II

Different Vulnerability scan and pertest

During preparation to CISSP I got this question:

Determining patch levels, improper services, and improper configurations is an attribute of which of the following?

 

The answers could be

  • Risk assessing
  • Vulnerability scanning
  • Penetration testing
  • Business impact analysis

I would take penitent, because I got this independent information from a pentest, but it is the vulnerability scanning. I miss the database with known vulnerabilities which is used to test again the findings. 

Do you have an explanation why it is vulnerability scan?

 

Thanks in advance

8 Replies
Early_Adopter
Community Champion

This is Vulnerability scanning as it looks for all issues that could be exploited on a system or network. There are many possible issues but it covers all of them and provides a report on patch, version, mis-configuration, non- supported components, license issues etc. A vulnerability scan seeks to enumerate issues but never to actually exploit then - pen testers are always trying to get root on a box or system without being caught under the terms of their contract with customer. So in short VS wide BAU process to see what you need to fix, whilst pen testing is basically having an ethical hacker attack your systems in a controlled way and seeing if they can breach your security.
neeff
Viewer

Vulnerability scanning is about identifying vulnerabilities/weaknesses (based on a vulnerability database). A penetration test attempts (based on a vulnerability scan) to exploit detected vulnerabilities. 

Best, Thomas

JoePete
Advocate I

Think of it this way. That pentest undoubtedly will contain a vulnerability scan but not the other way around. Why is it useful to make that distinction? It's a little more than semantics. A vulnerability scan/assessment just tells you what is vulnerable. It doesn't look to exploit it. So if you're contracting for services or are concerned about liability, the vulnerability scan can tell you a lot without going overboard. That said, we now see legal disclaimers, terms of use, and even regulations that prohibit scanning a network.

 

Arguably, there's also a slightly different objective. A vulnerability scan should be comprehensive - I want to throw a very wide net in terms of what's vulnerable. A pentest looks more to see what is exploitable. You can have a vulnerability that isn't exploitable (yet) or might not be a high-value target. Conversely, a pentest might focus on a high-value target, even one without a technical vulnerability. Example: using spearphishing against someone with administrative access.

OliLue
Newcomer II

Thanks, I understand the point of view and understand the answer
OliLue
Newcomer II

Great. I understand the point
SanjeevK
Viewer II

Hi,

 

To my understanding, the attributes given in the question i.e. the patch level, improper services or improper configurations are more related to the identification of weaknesses of the current status in a system which can be identified by doing a vulnerability scan. It is not just against a known database, but it would also identify the weaknesses against the expected baselines - hence the improper services or configurations or patch levels. The vulnerability database could contain the list of exploits to an application or process behaviour at runtime but may not be suggestive for the baselines. 

 

Penetration Testing, on the other hand, is more of an attempt to break through the application's runtime environment and gain access to data for manipulation / destruction.

 

The very purpose of the two activities differ.

Hope you find this useful.

 

JohnEricsson
Newcomer I

I recall pulling my hair out (an expression, not literal) over a similar question on another exam.

I appreatiate the answers!

 

I will add....

If a manager was to ask for reports on patches levels and improper configurations it would be 100% overkill, poor value for money and a risk to start pentesting when an automated process can get you the answer and be much much quicker.  

...but the answers above are from people better than me.

 

I hate these types of questions, it would have been "better" (IMO) to say "If the CEO wants to have regular reports on ....., which process would you employ".Maybe this is one of those questions when they are testing you with a business leader hat and not an IT hat. In fact with this in mind, maybe the question is fine as is.

 

Early_Adopter
Community Champion

@johnErricson yeah the CEO should delegate that to the CISO, and the CISO should build the team that runs the tooling, and send the reports to the application/infra owners who should then train the vendors, developers and admins to keep the CVEs down.

The CISO should also run the purple-team boss and these guys should do normal validation and you can mix it up with externals because they tell you things your culture teaches you to miss.

Feed all of these into your review, and quantify as much as you can for the CEO but unless he, she or they happened to have done the job they won’t grok it all that well.