TABLE OF CONTENTS Vulnerability assessment (VA) represents a key element of an organization s information security program. A VA highlights an organization s security liabilities and helps asset owners, security managers, and business leaders determine information security risk. VAs only report vulnerabilities, though. They don t substantiate that vulnerabilities actually exist; penetration tests do that.
The past few chapters discussed the tools, methodologies, and concepts that go into VA. This chapter assimilates that information and continues with penetration testing. We ll discuss the two types of penetration (pen) tests, walk through a pen test, cover the differences between VAs and pen tests, and discuss the pros and cons of conducting penetration tests from within versus externally to our corporate network.
Penetration testing is the process of evaluating the security posture of a computer system, network, or application (assets). The process involves analyzing assets for any weaknesses, configuration flaws, or vulnerabilities. The analysis is carried out from the perspective of a potential attacker and leverages exploitation of known and possibly unknown security vulnerabilities.
There are two types of penetration tests: black box and white box tests. Black box testing assumes no prior knowledge of the environment to be tested and the testers must first determine the location and extent of the assets before commencing their analysis. At the other end of the spectrum, white box testing provides the testers with complete knowledge of the environment to be tested; often including network diagrams, source code and Internet Protocol (IP) addressing information. As one might...
