82


Chapter 9. Vulnerability Assessment


9.2. Defining Assessment and Testing


A clear distinction between the types of vulnerability assessments is necessary. Vulnerability assess 


ments may be broken down into one of two types: Outside looking in and inside looking around.


When performing an outside looking in vulnerability assessment you are attempting to compromise


your systems from the outside. Being external to your company provides you with the cracker's view 


point. You see what a cracker sees   legal IP addresses, systems on your DMZ, external interfaces of


your firewall, and more.


When you perform an inside looking around vulnerability assessment you are somewhat at an advan 


tage since you are internal and your status is elevated to trusted. This is the viewpoint you and your


co workers have once logged on to your systems. You see print servers, file servers, databases, and


other resources.


There are striking distinctions between these two types of vulnerability assessments. Being internal


to your company gives you elevated privileges   more so than any outsider. Still today in most


organizations, security is configured in such a manner as to keep intruders out. Very little is done to


secure the internals of the organization (such as departmental firewalls). Typically, there are many


more resources when inside looking around as most systems are internal to a company. Once you set


yourself outside the company, you immediately are given untrusted status. The systems and resources


available to you externally are typically much more limited.


Consider the difference between vulnerability assessments and penetration tests. Think of a vulnera 


bility assessment as the first step to a penetration test. The information gleaned from the assessment


will be used in the testing. Whereas, the assessment is checking for holes and potential vulnerabilities,


the penetration testing actually attempts to exploit the findings.


Assessing network infrastructure is a dynamic process. Security, both information and physical, is


dynamic. Performing an assessment shows an overview, which can turn up false positives and false


negatives.


Security administrators are only as good as the tools they use and the knowledge they retain. Take any


of the assessment tools currently available, run them against your system, and it is almost a guarantee


that there will be at least some false positives. Whether by program fault or user error, the result is the


same. The tool may find vulnerabilities which in reality do not exist (false positive); or, even worse,


the tool may not find vulnerabilities that actually do exist (false negative).


Now that the difference between vulnerability assessment and penetration test are defined, it is often


good practice to take the findings of the assessment and review them carefully before conducting a


penetration test.


Warning


Attempting to exploit vulnerabilities can be dangerous to the productivity and efficiency of your sys 


tems and network.


The following list examines some of the benefits to performing vulnerability assessments.


Proactive focus on information security


Finding potential exploits before crackers find them


Typically results in systems being kept up to date and patched


Promotes growth and aids in developing staff expertise


Financial loss and negative publicity abated








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved