By Mr. Shomiron Dasgupta, CEO & Founder, DNIF
Vulnerability assessment (VA) and penetration testing (often shortened to “pentesting”) are effective techniques for identifying and eliminating risks in a software system. In IT security, a vulnerability is a kind of loophole or weak link in a software system. While penetration testing is a planned attack on a software system that simulates the approaches used by real attackers, vulnerability assessment is the use of automated scanners to locate loopholes in design, implementation and other facets of a system that could jeopardize the security of sensitive information.
Setting goals
To get the most out of pentesting and VA, you need to first establish your goals. Goal setting, the first stage of the process, is your opportunity to define what you want to achieve before you begin working. For example, you may decide to run a penetration test against a new or updated application before rolling it out to all your systems. This way, you can ensure that the application will not open your network up to attacks.
In contrast, the automated nature of
vulnerability assessment makes it better suited to regular, proactive use. You
can use the results of these assessments to minimize the surface area exposed
to attacks, reducing the potential damage from a successful attack at the same
time.
To set appropriate goals, you need to gather data about the assets to be tested
and their associated risk levels. These assets may include endpoint devices,
servers, firewalls, or even entire networks. Broadly, you want to determine which assets
have the highest risk of being affected by an attack.
Additional risk factors to consider include open ports, active services, and the users who have access to any given asset. Minimizing these risk factors reduces the options available to would-be attackers.
Performing the test
The next step is to perform the test of your choice. Typically, penetration testing is a manual approach, while vulnerability assessments rely more heavily on automated tools. In penetration testing, a security specialist uses a variety of software to identify loopholes in logic, libraries and functions that make an attack possible. In a vulnerability assessment, an automated tool passes various inputs to the application or system being tested. It records the responses it receives to check for vulnerabilities that could be exploited, leading to arbitrary code execution or another security event.
In any case, those performing the test should be aware of any business-related compliance requirements and determine the best time and date to perform the test.
Completion
To conclude the test, the tester must reverse any changes made during the course of a simulated attack, returning the network to its original state. The importance of the assets being tested and the findings from the tests performed can form a basis for developing and implementing risk mitigation techniques. The end result is a network which is more difficult to attack.
Shomiron Dasgupta, Founder and CEO, DNIF is a highly experienced Intrusion Analyst, and has been building threat detection systems for more than a decade. Over the years he has worked intensively on, DDoS mitigation, Traffic Anomaly, Collaborative Detection Systems, Trace Tools, BigData, Real-time FishBowling, Multi-layer Correlation, Reporting Technologies, Audit Systems, Frameworks, Parallel Processing and Measurable Security.