Security+: Penetration Testing vs. Vulnerability Scanning (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
COMPTIA’s Security+ is one of the best certifications for professionals who want to demonstrate their information security knowledge and skills and start building a solid career in this ever-evolving/challenging field. The certification’s content includes essential principles for network security and risk management, covering topics that will deal with the important tasks of identifying and treating situations where even a single security issue could prove to be an unbearable risk.
But what is the best way to deal with vulnerabilities? How can you prove that they really exist and can be exploited? Is it possible to ensure that the current security controls provide enough protection and resilience to prevent sophisticated hacker attacks? Are there weaker areas you should focus your hardening efforts? Those are all very important questions a Security Professional should be able to answer based on two types of assessments: Penetration Testing and Vulnerability Scanning.
Understanding the concepts
Penetration Testing and Vulnerability Scanning share a common goal: Both are practical tests, focused on discovering vulnerabilities: A weakness in the design, implementation, operation or internal control that could expose an information asset to adverse threats from threat events.
The main difference comes from the fact that while a vulnerability assessment is mostly a passive effort (e.g. connecting to an operational system and checking for missing patches or the use of an unsecure protocol such as http instead of https), a penetration test will take a step further and try exploiting any identified vulnerability, such as the ones mentioned above, and create evidence of what can be accomplished once the system is compromised. This means that during a penetration test, you are basically using the same tactics, techniques and probably even the very similar tools to those available to cybercriminals.
By this very definition, a Penetration Test is an a controlled active attack on your own environment, so it is very important to have formal authorization and be clear on how to proceed in the case a system restore is necessary after the tests, otherwise the impact can be quite similar to a real attack.
What to know about Vulnerability Scanning
As mentioned before, a vulnerability scan or vulnerability assessment is mostly a passive test focused on information gathering on possible security weaknesses. This can be done on individual computers, network devices, websites, applications, security assets or any other device, provided you can access and scan it.
Basic scanning even be done with no authentication. For example, a port scan is a great way to check if a device on the network is active and what ports are responding. This can be used to map an entire network and define how further testing will proceed. In general terms, these are considered non-intrusive scans, but they are just the first step.
For a more in depth vulnerability assessment, it is usual to employ automated software combined with a privileged account and remotely enumerate any form of security weakness. Vulnerabilities can come from a variety of sources, such as an unnecessary open ports, missing patches and updates for operational systems, poor authentication controls/protocols for network devices, a coding vulnerability (i.e. SQL Injection, XSS) or even misconfiguration of system/security controls due to the lack of a good security policy.
The key part of a vulnerability scan is storing as much information as possible, since this data will be compiled into a report designed to summarize your threat level based on what was found out. Most Vulnerability Scanning software will grade and categorize results based on online vulnerabilities databases from trustworthy sources like NIST NVD (National Vulnerability Database) and the Common Vulnerabilities and Exposures (CVE) List. This information and can even point you in the right direction (e.g. recommend applying an update or disabling a vulnerable protocol), but again, the entire point of this assessment is having a clear view of current vulnerabilities. Correcting them is part of another very important discipline (risk management).
What do I need to know about penetration testing for the Security+ exam?
Gathering information is not nearly enough proof that a vulnerability will in fact affect a system. So, the next logical step is actually proving a weakness can be exploited and, if successful, how it will affect the compromised system. This approach is what differentiates Vulnerability Scanning from Penetration Testing.
Essentially there are three basic phases of a Penetration Test: Reconnaissance, Scanning and Exploitation.
From a technical standpoint, doing reconnaissance and scanning is quite similar to executing a vulnerability scan. But there is one clear difference: access level. Since you are simulating a real attack, it stands to reason that in most cases an attacker will have minimal knowledge on the target and any form of security measures that are implemented. Also, if you are going full black box, efforts should be taken to avoid detection even on the early stages of information gathering.
Once you have identified your target and any form of weakness, then comes the Exploitation. At this point technical knowledge plays a major role. Knowing a weakness exists is quite different from being able to actually exploit it.
The tools for penetration testing are varied and dynamic, for instance with MASSCAN you can scan the Internet in minutes, or select from various web application security scanners to help in finding and exploiting weaknesses. You can find entire Linux distributions or commercial tools dedicated to this subject, but keep in mind that it is not the tool that performs the test, rather it is actually the tester. Again, it is essential to have a profound understanding of technical concepts and be able to think outside the box.
One you are able to verify that an exploit works, it is important to take note of what you can accomplish. For example, you may have gained non-privileged access to a system and be able to read a specific piece of information. What can you accomplish with that? What would be the impact in the event of a real attack? Can you use this new access as a vector for further more relevant attacks or try privilege escalation? The entire idea of performing penetration testing is to have a pragmatic view on the risk scenario so you can better protect your system in the near future.
Need some help?
Penetration testing and vulnerability scanning are just two of several concepts a Security+ candidate should feel confident in to perform well during the certification exam.
If you need to reinforce theory and want to “learn by doing” and put those concepts into actual practice, take a look at the Security+ boot camp.