Vulnerability Scanners and Penetration Testing Flashcards
What is a vulnerability scanner?
It is software that scans a network and does a vulnerability analysis and grades vulnerability schedules according to CVSS.
What is CVSS?
Common Vulnerability Scoring System
What are the shortcomings of vulnerability scanners?
It lacks the dynamic context of the network. Doens’t see misconfigurations or human factor.
You can see a lot, but it doesn’t actually lead you anywhere. So a ton of false positives.
What is a penetration test?
Dynamic evaluation of security controls, as well as business impact of vulnerabilities across the network.
What does a penetration tester do?
Starts by operating vulnerability scanner, deals with exploitable vulnerabilites, then tries to exploit in order to prove the actual business impact.
What are the pains of human penetration testing? (There are 6)
- There is a shortage of cybersecurity professionals, so very expensive.
- Pentester will find an achievement but not all possible attack vectors leading to it. So not everything is mapped.
- Talent dependent, vast differences between quality of pentesters.
- Consumes a lot of valuable in house resources. If you’re bringing in a third party, it’s a whole project.
- Just a snapshot in time, new vulnerabilities come up in infrastructure all the time.
- Reports are cryptic, just provides samples, only reports on successes, doesn’t give you effective remediation.
