Beruflich Dokumente
Kultur Dokumente
scanning vs.
penetration
testing.
Brian K. Ferrill, M.B.A.
Instructor, PACE-IT Program Edmonds Community College
Page 2
Vulnerability scanning vs. penetration
testing.
PACE-IT.
Levels of testing.
Page 3
Vulnerability
scanning and
penetration
testing.
Vulnerability scanning vs. penetration
testing.
Page 4
Vulnerability scanning and penetration
testing.
Vulnerability scanning vs. penetration testing.
Vulnerability scanning is
usually conducted using
specialized applications in
an effort to find weaknesses
in a network.
It is usually conducted using protocol analyzers (also
called packet sniffers) and port scanners. These
applications can be used to determine which protocols
and services are being used on a network. Protocol
analyzers can also be used to determine which ports are
open on a network. This information can be used by
security experts to help harden the network against
attack.
Vulnerability scanning does not attempt to exploit any
weaknesses that are found. It only identifies them for the
security personnel.
Page 5
Vulnerability scanning and penetration
testing.
Vulnerability scanning vs. penetration testing.
Vulnerability scanning.
The purpose is to assess the configuration of systems
and networks to determine what can be done to
increase the level of security.
This is done passively by collecting information and
reporting on the information collected in a non-
intrusive manner.
The scan can help to identify different issues.
Lack of security controls.
Common misconfigurations (in applications and
devices).
Other vulnerabilities.
Two different types of vulnerability scans should be
conducted.
As an authorized usera credentialed scan should
be conducted from an administrative account.
As an unauthorized usera noncredentialed scan
should be conducted to determine what an
unauthorized user may find out about the system.
A false positive may be reported by vulnerability
scans.
Something reported as a vulnerability that isnt
actually one.
Page 6
Vulnerability scanning and penetration
testing.
Vulnerability scanning vs. penetration testing.
Page 8
Levels of testing.
Vulnerability scanning vs. penetration
testing.
Page 9
Levels of testing.
Vulnerability scanning vs. penetration testing.
Topic Summary
Vulnerability scanning is the passive collection of information on
the configuration of systems and networks in an effort to
determine how security might be improved. Penetration testing is
Vulnerability scanning using attack methods in an effort to breach security. The
and penetration testing. information gathered from pen testing is used to increase the
security of systems and networks. The pen tester must have
explicit permission to perform the testing, because without the
permission it is actually an illegal action.
Page 11
THANK YOU!
Page 12
This workforce solution was 100 percent funded by a $3 million grant
awarded by the U.S. Department of Labor's Employment and Training
Administration. The solution was created by the grantee and does not
necessarily reflect the official position of the U.S. Department of Labor. The
Department of Labor makes no guarantees, warranties, or assurances of any
kind, express or implied, with respect to such information, including any
information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued
availability or ownership. Funded by the Department of Labor, Employment
and Training Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and
services are available upon request to individuals with disabilities. For those
that are hearing impaired, a video phone is available at the Services for
Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check
www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for
more information about the PACE-IT program. For any additional special
accommodations needed, call the SSD office at 425.640.1814. Edmonds
Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or
veteran status; or genetic information in its programs and activities.