Premium Essay

Penetration Test vs. Vulnerability Assessment

In:

Submitted By Marinesdogs
Words 255
Pages 2
Penetration Test vs. Vulnerability Assessment
Ø Penetration testing ensures you that your network will not be penetrated by malicious users.
Ø Vulnerability Assessment gives an organization the ability to identify potentials for intrusion to their network.
Ø Penetration test are more intrusive
Reason for Assessement
Ø Identify the vulnerability

Ø Quantify the vulnerability

Ø Prioritizing the vulnerability

Internal vs. External

Ø Internal assessment shows the vulnerabilities that employees or anyone with access to the internal network and exploit them.

Ø External assessments shows the vulnerabilities from someone without direct access to the internal network.
Window of Vulnerability
Ø Unknown Window of Vulnerability

Ø Known Window of Vulnerability
Risk
Ø Vulnerability
Ø Attacks
Ø Threats
Ø Exposure

Risk = Vulnerability x Attacks x Threats x Exposure
Risk of Internal Assessment
Ø Can’t be truly objective

Ø Fair and impartial assessment

Management is force to deal with the “fox in the Hen House” problem
Steps 1-3 to an Successful Assessment
• Understand the consequences

• Document Management buy-in

• Develop manageable objectives

Step 4-6 to an Successful Assessment
• Determine method

• Plan for disruptions

• Develop an assessment in a impactful, yet understandable, way.

Qualified and Experienced outside Third Party.
Ø Protect yourself with an contract
Ø Breadth of experience
Ø Currency with the latest technical and legal development
Ø Cost effective
Ø Protect the Dissemination of the assessment finding
Legal
Gramm-Leach-Bliley Act
Ø ensure the appropriate safeguards of the security and confidentiality of customer records and information.
Ø Protect against anticipated threats
Ø Protect against unauthorized

Similar Documents

Premium Essay

Ethical Hacking and Network Defense Unit 2 Assignment

...network: • Ubuntu Linux 10.04 LTS Server (TargetUbuntu01) • Apache Web Server running the e-commerce Web application server • Credit card transaction processing occurs • The test will include penetrating past specific security checkpoints. • The test can compromise with written client authorization only. Goals and Objectives John Smith, CEO of E-commerce Sales, has requested that we perform a penetration test on the company’s production e-commerce Web application server and its Cisco network. It is our intention to run various penetration tests at irregular times in order to accurately test security measures that have been put in place. E-commerce Sales will not be aware of any of the penetration measures nor will they be aware of the times that this will be done. Information about the network will be gathered and analyzed for any open network interfaces. Success of the test is determined by determining any potential weaknesses in the network and being able to identify solutions to protect those weaknesses. Failure is determined by the inability to pinpoint any weaknesses in the system or to find weaknesses and not be able to suggest solutions. Tasks During the course of the penetration testing there are several different tasks that we will have to perform. These tasks are listed...

Words: 1705 - Pages: 7

Premium Essay

Nt1310 Unit 3 Assignment 3

...The biggest difference is that with a Vulnerability assessment you know your network security has issues and you want someone to help you locate and remediate those issues. The company will come in an scan the network looking for problems. The goal is to find all of them so the more they can give you the better you will be in the future. Once they find all the vulnerabilities they will help you to prioritize them into a list of most important issues to address first down to the least important issue. When you are ready and feel your network is running pretty well and you have the majority of the security issues fixed you are ready for a Penetration test. A Pen test will be done, generally, by an 3rd party. The 3rd party will have very...

Words: 333 - Pages: 2

Premium Essay

Cyber Security

...2011 Ethical Hacking & Penetration Testing ACC 626: IT Research Paper Emily Chow 20241123 July 1, 2011 I. Introduction Due to the increasing vulnerability to hacking in today’s changing security environment, the protection of an organization’s information security system has become a business imperative . With the access to the Internet by anyone, anywhere and anytime, the Internet’s “ubiquitous presence and global accessibility” can become an organization’s weakness because its security controls can become more easily compromised by internal and external threats. Hence, the purpose of the research paper is to strengthen the awareness of ethical hacking in the Chartered Accountants (CA) profession, also known as penetration testing, by evaluating the effectiveness and efficiency of the information security system. 2 1 II. What is Ethical Hacking/Penetration Testing? Ethical hacking and penetration testing is a preventative measure which consists of a chain of legitimate tools that identify and exploit a company’s security weaknesses . It uses the same or similar techniques of malicious hackers to attack key vulnerabilities in the company’s security system, which then can be mitigated and closed. In other words, penetration testing can be described as not “tapping the door” , but “breaking through the door” . These tests reveal how easy an organization’s security controls can be penetrated, and to obtain access to its confidential and sensitive information asset by hackers...

Words: 11999 - Pages: 48

Premium Essay

Ethical Hacking

...department at Caldwell Community College and Technical Institute within the North Carolina Community College System. Ethical Hacking 3 Ethical Hacking: Teaching Students to Hack The growing dependence and importance regarding information technology present within our society is increasingly demanding that professionals find more effective solutions relating to security concerns. Individuals with unethical behaviors are finding a variety of ways of conducting activities that cause businesses and consumers much grief and vast amounts annually in damages. As information security continues to be foremost on the minds of information technology professionals, improvements in this area are critically important. One area that is very promising is penetration testing or Ethical Hacking. The purpose of this paper is to examine effective offerings within public and private sectors to prepare security professionals. These individuals must be equipped with necessary tools, knowledge, and expertise in this fast growing proactive approach to information security. Following this examination a...

Words: 6103 - Pages: 25

Premium Essay

Metasploit Vulnerability Scanner Executive Proposal

...Metasploit Vulnerability Scanner Executive Proposal Paul Dubuque Table of Contents Page 3 Executive Summary Page 5 Background Information Page 6 Recommended Product Page 7 Product Capabilities Page 10 Cost and Training Page 11 References Page 13 Product Reviews Executive Summary To: Advanced Research Corporation Mr. J. Smith, CEO; Ms. S. Long, V.P. Mr. W Donaldson, CCO; Mr. A. Gramer, CCO & Mr. B. Schuler, CFO CC. Ms. K. Young, MR. G. Holdsoth From: P. Dubuque, IT Manager Advance Research Corporation (ARC) has grown rapidly during the last five years and has been very successful in developing new and innovative devices and medicines for the health care industry. ARC has expanded to two locations, New York, NY and Reston, VA which has led to an expanded computer network in support of business communications and research. ARC has been the victim of cyber-attacks on its network and web site, as well as false alegations of unethical practices. ARC’s network is growing, with over two thousand devices currently and reaching from VA to NY. ARC needs to ensure better security of communications, intellectual property (IP) and public image, all of which affect ARC’s reputation with the public and investors. ARC has previously limited information technology (IT) expenditures to desktop computers and network infrastructure hardware such as routers, firewalls and servers. It is imperative that ARC considers information security (IS) and begins to invest in products...

Words: 2593 - Pages: 11

Premium Essay

It-255

...baselining and gap analysis  Importance of monitoring systems throughout the IT infrastructure  Penetration testing and ethical hacking to help mitigate gaps  Security logs for normal and abnormal traffic patterns and digital signatures  Security countermeasures through auditing, testing, and monitoring test results IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 3 EXPLORE: CONCEPTS IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 4 Purpose of an IT Security Assessment Check effectiveness of security measures. Verify access controls. Validate established mechanisms. IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 5 IT Security Audit Terminology  Verification  Validation  Testing  Evaluation IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 6 Purpose of an IT Infrastructure Audit Verify that established controls perform as planned. Internal audits examine local security risks and countermeasures. External audits explore attacks from outside. IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 7 IT Security Assessment vs. Audit Security...

Words: 799 - Pages: 4

Premium Essay

Vulnerability-Assessment

... Chapter 1 Vulnerability Assessment Solutions in this Chapter: I What Is a Vulnerability Assessment? I Automated Assessments I Two Approaches I Realistic Expectations Summary Solutions Fast Track Frequently Asked Questions 1 285_NSS_01.qxd 2 8/10/04 10:40 AM Page 2 Chapter 1 • Vulnerability Assessment Introduction In the war zone that is the modern Internet, manually reviewing each networked system for security flaws is no longer feasible. Operating systems, applications, and network protocols have grown so complex over the last decade that it takes a dedicated security administrator to keep even a relatively small network shielded from attack. Each technical advance brings wave after wave of security holes. A new protocol might result in dozens of actual implementations, each of which could contain exploitable programming errors. Logic errors, vendor-installed backdoors, and default configurations plague everything from modern operating systems to the simplest print server.Yesterday’s viruses seem positively tame compared to the highly optimized Internet worms that continuously assault every system attached to the global Internet. To combat these attacks, a network administrator needs the appropriate tools and knowledge to identify vulnerable systems and resolve their security problems before they can be exploited. One of the most powerful tools available today is the vulnerability assessment, and this chapter...

Words: 9203 - Pages: 37

Premium Essay

Ethical Hacking

...Traditionally, a Hacker is someone who likes to play with Software or Electronic Systems. Hackers enjoy Exploring and Learning how Computer systems operate. They love discovering new ways to work electronically. Hacker is a word that has two meanings: 1-Recently, Hacker has taken on a new meaning someone who maliciously breaks into systems for personal gain. 2-Technically, these criminals are Crackers as Criminal Hackers. Crackers break into systems with malicious Intentions An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion testing...

Words: 2587 - Pages: 11

Premium Essay

Test Paper

...CompTIA Security+: Get Certified Get Ahead SY0-401 Study Guide Darril Gibson Dedication To my wife, who even after 22 years of marriage continues to remind me how wonderful life can be if you’re in a loving relationship. Thanks for sharing your life with me. Acknowledgments Books of this size and depth can’t be done by a single person, and I’m grateful for the many people who helped me put this book together. First, thanks to my wife. She has provided me immeasurable support throughout this project. The technical editor, Steve Johnson, provided some good feedback throughout the project. If you have the paperback copy of the book in your hand, you’re enjoying some excellent composite editing work done by Susan Veach. I’m extremely grateful for all the effort Karen Annett put into this project. She’s an awesome copy editor and proofer and the book is tremendously better due to all the work she’s put into it. While I certainly appreciate all the feedback everyone gave me, I want to stress that any technical errors that may have snuck into this book are entirely my fault and no reflection on anyone who helped. I always strive to identify and remove every error, but they still seem to sneak in. About the Author Darril Gibson is the CEO of YCDA, LLC (short for You Can Do Anything). He has contributed to more than 35 books as the sole author, a coauthor, or a technical editor. Darril regularly writes, consults, and teaches on a wide variety of technical...

Words: 125224 - Pages: 501

Free Essay

Is4550 Unit 3 Assignment 1

.....  3   CSC  1:    Inventory  of  Authorized  and  Unauthorized  Devices  ............................................................................  8   CSC  2:    Inventory  of  Authorized  and  Unauthorized  Software  .......................................................................  14   CSC  3:    Secure  Configurations  for  Hardware  and  Software  on  Mobile  Devices,  Laptops,   Workstations,  and  Servers  .......................................................................................................................................  19   CSC  4:    Continuous  Vulnerability  Assessment  and  Remediation  .................................................................  27   CSC  5:    Malware  Defenses  ..........................................................................................................................................  33   CSC  6:    Application  Software  Security  ...................................................................................................................  38   CSC  7:    Wireless  Access  Control  ...............................................................................................................................  43   CSC  8:...

Words: 31673 - Pages: 127

Premium Essay

Information Security

...information security management standards, plus potential metrics for measuring and reporting the status of information security, both referenced against the ISO/IEC standards. Scope This guidance covers all 39 control objectives listed in sections 5 through 15 of ISO/IEC 27002 plus, for completeness, the preceding section 4 on risk assessment and treatment.  Purpose This document is meant to help others who are implementing or planning to implement the ISO/IEC information security management standards.  Like the ISO/IEC standards, it is generic and needs to be tailored to your specific requirements. Copyright This work is copyright © 2010, ISO27k Forum, some rights reserved.  It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.  You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Forum at www.ISO27001security.com, and (c) derivative works are shared under the same terms as this. Ref. | Subject | Implementation tips | Potential metrics | 4. Risk assessment and treatment | 4.1 | Assessing security risks | Can use any information security risk management method, with a preference for documented, structured and generally accepted methods such as OCTAVE, MEHARI, ISO TR 13335 or BS 7799 Part 3. See ISO/IEC 27005 for general advice. | Information security risk management...

Words: 4537 - Pages: 19

Premium Essay

Free

...PERFORMANCE WORK STATEMENT Table of Contents 1 OVERVIEW 1 2 CONTRACT REQUIREMENTS 1 2.1 Objectives Fulfillment 1 2.1.1 Business Objectives 1 2.1.2 Technical Objectives 2 2.1.3 Management Objectives 3 2.2 Assumptions and Constraints 3 2.2.1 Access Control 4 2.2.2 Authentication 4 2.2.3 HSPD-12 Personnel Security Clearances 4 2.2.4 Non-Disclosure Agreements 5 2.2.5 Accessibility 5 2.2.6 Data 5 2.2.7 Confidentiality, Security, and Privacy 5 2.3 Tasks/Sub-Tasks to Be Performed Related to Initiating the Service 6 2.3.1 Task 1: 6 2.3.2 Task 2: 7 2.4 Period of Performance 7 3 PERFORMANCE MANAGEMENT OF THE DELIVERED SERVICES 8 3.1 Modifications to Service Level Agreements 8 3.2 Changes to Key Performance Measures. 8 3.3 Quality Assurance Evaluation 8 3.4 Government Roles and Responsibilities. 9 3.4.1 Contracting Officer (CO) 9 3.4.2 Contract Specialist 9 3.4.3 Contracting Officer’s Technical Representative (COTR) 10 3.4.4 Other Key Government Personnel 10 3.5 Contractor Roles and Responsibilities 10 4 METHODS OF QUALITY ASSURANCE SURVEILLANCE 11 5 SECURITY REQUIREMENTS 11 5.1 Required Policies and Regulations for GSA Contracts 11 5.2 GSA Security Compliance Requirements 13 5.3 Certification and Accreditation (C&A) Activities 13 5.3...

Words: 7425 - Pages: 30

Premium Essay

Is4799 Capstone

...Information Systems and Cyber-security Capstone Project) A COMPREHENSIVE PROJECT SUBMITTED TO THE INFORMATION SYSTEMS SECURITY PROGRAM IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE BACHELOR’S DEGREE by Jorge Perez ITT TECHNICAL INSTITUTE Miami, Florida September, 2015 Unit 1 Phased Project Approach and High Level Project Plan Outline Our current status is great but, we are need to do some changes in in order to fulfill the request. Since we only have 22 employees and it is necessary that we will move within the next 3 weeks, there are few thing needed to complete this. I need will need to rent a 3 trucks with trailers of 52 feet each this will way it will only take us 1 trip to get everything down to Miami, the cost for each truck will be 1500 per truck to get everything. I will need to hire about 5 to 8 people to remove everything from our office and take it to the trucks to be shipped. Unit 1 Phased Project Approach and High Level Project Plan Outline • How soon would I know if this process will be approved? • Would I be able to pay overtime to my contract employees • What would be the amount limit that I can use for the transportation? • How many employees can I get to move to Miami? • What would be the maximum I can spend monthly on rent for my new location? Unit 1 Phased Project Approach and High Level Project Plan Outline • How...

Words: 5009 - Pages: 21

Premium Essay

Sscp Study Notes

...SSCP Study Notes 1. Access Controls 2. Administration 3. Audit and Monitoring 4. Risk, Response, and Recovery 5. Cryptography 6. Data Communications 7. Malicious Code Modified version of original study guide by Vijayanand Banahatti (SSCP) Table of Content 1.0 ACCESS CONTROLS…………………………………………………………...... 03 2.0 ADMINISTRATION ……………………………………………………………... 07 3.0 AUDIT AND MONITORING…………………………………………………...... 13 4.0 RISK, RESPONSE, AND RECOVERY………………………………………....... 18 5.0 CRYPTOGRAPHY……………………………………………………………....... 21 6.0 DATA COMMUNICATIONS…………………………………………………...... 25 7.0 MALICIOUS CODE……………………………………………………………..... 31 REFERENCES………………………………………………………………………........ 33 1.0 ACCESS CONTROLS Access control objects: Any objects that need controlled access can be considered an access control object. Access control subjects: Any users, programs, and processes that request permission to objects are access control subjects. It is these access control subjects that must be identified, authenticated and authorized. Access control systems: Interface between access control objects and access control subjects. 1.1 Identification, Authentication, Authorization, Accounting 1.1.1 Identification and Authentication Techniques Identification works with authentication, and is defined as a process through which the identity of an object is ascertained. Identification takes place by using some form of authentication. Authentication Types Example Something you know...

Words: 17808 - Pages: 72

Premium Essay

Business

...Journal of Management Information Systems, Vol. 22, No. 4, Spring 2006: 109-142. An Information Systems Security Risk Assessment Model under Dempster-Shafer Theory of Belief Functions Lili Sun Rutgers, The State University of New Jersey Rajendra P. Srivastava The University of Kansas and Theodore J. Mock University of Southern California and University of Maastricht Acknowledgements: We would like to thank the audit firm for making their audit work papers available for the study. We sincerely appreciate the help provided by the audit manager and for suggestions provided by Mike Ettredge, Greg Freix, Prakash Shenoy, and participants in AIS workshops at the University of Kansas and the 6th Annual INFORMS Conference on Information Systems and Technology. In addition, the authors would like to thank Drs. Jay F. Nunamaker, Jr., and Robert Briggs, Editor, Special Issue of JMIS, and the three anonymous reviewers for their constructive comments and valuable suggestions for revising the paper. 1 An Information Systems Security Risk Assessment Model under Dempster-Shafer Theory of Belief Functions ABSTRACT: This study develops an alternative methodology for the risk analysis of information systems security (ISS), an evidential reasoning approach under the Dempster-Shafer theory of belief functions. The approach has the following important dimensions. First, the evidential reasoning approach provides a rigorous, structured manner to incorporate relevant ISS risk...

Words: 15140 - Pages: 61