The majority of online articles describe the differences between penetration testing and vulnerability assessment. But the two are related and should always be considered together as part of an organization’s overall cybersecurity strategy. What happens when we view the processes together as a team sport?
In general, vulnerability assessment is the process of discovering and analyzing vulnerabilities and penetration testing is the process of exploiting those vulnerabilities to help determine the best mitigation technique.
The IT industry typically includes vulnerability assessment as one step in the pen testing process. But sadly, many vulnerabilities discovered are not mitigated due to patching incompatibilities or lack of funds. These types of vulnerabilities must be managed until the system is mitigated, often over long periods of time.
The Sports Connection: When Do You Call in The Defense?
The penetration tester is similar to a quarterback in American football. They engage in offense and must analyze the current situation to determine their next move. They must find a target and determine whether to pass, run or hand off the ball. And most importantly, they must determine when they are overwhelmed and when it is time to bring in the defensive team.
In pen testing, when a vulnerability is discovered that cannot be mitigated, the defensive team needs to take over. This team is responsible for vulnerability management to defend the vulnerable system over time. Because pen testing is often consulting work, the pen tester will leave after completing the tests. Someone from the hiring company must take over the vulnerability management tasks once the consultant departs.
The vulnerability management team is usually a different team than the penetration testers and may include the following IT roles:
- Security administrators
- System administrators
- Network administrators
- Cybersecurity analysts
- Cybersecurity engineers
They are all network defenders, and their job roles will vary depending on the organization. But once the defenders take over the process, they must continue to work with penetration testers over time because new vulnerabilities are found every day.
For example, future penetration testing will probably identify new vulnerabilities on the unmitigated system, beyond those originally identified by the pen testers. It is important that these new vulnerabilities are incorporated into the systems’ vulnerability management lifecycle. Without this continuous penetration testing and vulnerability assessment loop, the vulnerable system may become even more vulnerable and expose other systems to high-risk behavior.
CompTIA PenTest+ Covers Penetration Testing and Vulnerability Assessment
Nearly one-quarter of the CompTIA PenTest+ (PT0-002) exam objectives (22%) focus on performing vulnerability assessment and management activities. This percentage is much larger than the nearest competitor, Certified Ethical Hacker (CEH), with only 8% of the objectives addressing vulnerability topics.
CompTIA emphasizes vulnerabilities because industry research shows that vulnerabilities don’t go away. Instead, they continue to increase as new software is released on the internet, new bugs are found and new attacks are created. In other words, the problem is expected to get worse before it gets better, so it needs to be emphasized.
The skills listed below are the CompTIA PenTest+ (PT0-002) exam objectives that support vulnerability skills as part of the overall penetration testing process.
Exam Domain 2: Information Gathering and Vulnerability Scanning | |
Exam Objective 2.4: Given a scenario, perform vulnerability scanning. | |
This objective covers the core activities required for vulnerability scanning and the many variables involved when performing the hands-on tasks, including automated techniques as follows. | |
Considerations of vulnerability scanning | Time to run scans, protocols, network topology, bandwidth limitations, query throttling, fragile systems, non-traditional assets |
Scan identified targets for vulnerabilities |
|
Set scan settings to avoid detection |
|
Scanning methods | Stealth scan, Transmission Control Protocol (TCP) connect scan, credentialed vs. non-credentialed |
Nmap | Nmap Scripting Engine (NSE) scripts, common options, -A, -sV, -sT, -Pn, -O, -sU, -sS, -T 1-5, -script=vuln, -p |
Vulnerability testing tools that facilitate automation |
|
Exam Domain 4: Reporting and Communication | |
Exam Objective 4.1: Compare and contrast important components of written reports. | |
This objective covers how to report vulnerabilities and communicate them to other stakeholders, including other IT staff and compliance managers. For example, the ability to produce a well-defined and simple vulnerability report is rare, yet such a document is required in order to consistently integrate with the rest of an organization and to remain compliant to regulations such as PCI-DSS, NIST and SOC 2. | |
Report audience | C-suite, third-party stakeholders, technical staff, developers |
Report contents (not in particular order) | Executive summary, scope details, methodology including attack narrative, findings including risk rating (reference framework) and risk prioritization, business impact analysis, metrics and measures, remediation, conclusion, appendix |
Storage time for report |
|
Secure distribution |
|
Note taking | Ongoing documentation during test, screenshots |
Common themes/root causes | Vulnerabilities, observations, lack of best practices |
Exam Domain 4: Reporting and Communication | |
Exam Objective 4.2: Given a scenario, analyze the findings and recommend the appropriate remediation. | |
This objective covers the documentation and what happens after the vulnerability scan. For example, analysis of a SQL injection vulnerability may include recommending a specific software update or code fix. The report would include both the vulnerability description and remediation recommendation. | |
Technical controls | System hardening, sanitize user input/parameterize queries, implemented multifactor authentication, encrypt passwords, process-level remediation, patch management, key rotation, certificate management, secrets management solutions, network segmentation |
Administrative controls | Role-based access control, secure software development lifecycle, minimum password requirements, policies and procedures |
Operational controls | Job rotation, time-of-day restrictions, mandatory vacations, user training |
Physical controls | Access control vestibule, biometric controls, video surveillance |
Exam Domain 5: Tools and Code Analysis | |
Exam Objective 5.3: Explain use cases of the following tools during the phases of a penetration test. | |
This objective attempts to categorize the staggeringly large number of penetration testing tools into a small number of categories for educational purposes. The intent of this objective is not to test specific vendor feature sets, but to ensure penetration testers are familiar with the use cases of the most popular industry tools. The scanner tool category is listed below from the objectives. | |
Scanners | Nikto, open vulnerability assessment scanner (Open VAS), SQLmap, Nessus, Open Security Content, Automation Protocol (SCAP), Wapiti, WPScan, Brakeman, Scout Suite |
These skills (and many more) are covered in the updated CompTIA PenTest+ (PT0-002) certification exam, scheduled to be released in late October 2021.
CompTIA PenTest+ Covers Vulnerability Assessment: Learn the Skills Today
The CompTIA PenTest+ (PT0-002) exam objectives focus on pen testing and vulnerability assessment. The latest pen testing techniques and best practices are included for operating in multiple environments, including on premises, the cloud and hybrid networks. The objectives also include pen testing web apps, wireless systems, embedded systems and IoT devices in these environments.
Vulnerability assessment and management skills are expected to grow in the foreseeable future as attacks continue to increase and compliance grows. If IT pros do not embrace vulnerability assessment and management skills, their organizations will pay the price of fines and continued breaches.
To learn the pen testing automation skills you need to succeed, please download the CompTIA PenTest+ exam objectives, study hard and take the exam! The certification will help prove to employers that you have the latest skills to protect their organization from the next cyberattack.