Penetration testing vs. vulnerability testing

brownwrapbrownwrap Member Posts: 549
Some of the definitions seem to be very close to each other such as penetration testing and vulnerability testing. The only difference I can see between the two is that penetration testing could could a system.

Same thing applies to IDS signature versus behavior. Aren't we seeing abormal behavior even when a signature IDS detects ?

Comments

  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    I assume by vulnerability testing you mean vulnerability scanning, which would diferentiate from pen-testing, in that pen-testing involves exploiting vulnerabilities found during vulnerability scanning.

    As for IDS, an IDS signature will detect a known attack, such as a port scan or certain types of traffic, whereas behavior based IDS will detect changes from a baseline. i.e. if a system was only used for web traffic suddenly started sending email traffic, that would be a deviation from the baseline, and generate an alert. Yes, you are seeing abnormal behavior, however, the sig IDS is detecting BASED on the signature, not the behavior.
  • superman859superman859 Member Posts: 55 ■■□□□□□□□□
    Just as SephStorm said.

    To me, I think of penetration testing as a more in-depth test (and more costly), whereas vulnerability assessments are more surface level. To perform a vulnerability assessment, someone may do some initial research on the organization and conclude with running a Nessus scan or something to detect *possible* vulnerabilities. Of course, these scans are sometimes not entirely accurate and you never know for sure if the vulnerability can actually be exploited until you try. Penetration testing, on the other hand, will actually simply try to hack the machine. You could perform a vulnerability scan as part of it, although it's also going to be noisy (instead, you may do more research into vulnerabilities trying to find a few key ones rather than run a massive scan). After discovering vulnerabilities, you would then attempt to exploit them to the extent agreed upon in a contract with the organization. That may be to gain access to an account and then do no more, or it could be to gain access and then attempt to elevate your privileges to root / admin.

    So in the end, a pen-test would be better, more detailed, and more accurate. At the same time, this means they will require more time and require more money to cover the costs.

    Signature-based IDS will detect on signatures (known patterns) whereas behavior-based IDS compares the current situation to a known baseline. For example, consider a port scan - a sig-based may notice that one IP attempts a connect to port 20, then 21, then 22, then 23, then 24, and so on. This sequential pattern will be matched against a database that has a field for "sequential port openings" and the sig-based IDS will generate an alert. On the other hand, the behavior-based IDS may have a baseline that says an external node typically tries to connect to 1-5 ports within a given hour or something for legitimate use. If some IP falls outside of that range, then they may be performing a port scan.
    Degrees: B.S. Computer Science, B.S. Mathematics

    Certifications: Network+, Security+

    In-Progress: M.S. Computer Science, CEH
  • xenodamusxenodamus Member Posts: 758
    For the purposes of the Security+, you should know that:

    a) A vulnerability assessment is generally performed from inside the security perimeter of an organization.

    b) A pen-test is generally performed from outside the security peremiter of an organization.

    This is what I gathered from Darril Gibson's book.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • chrisonechrisone Senior Member Member Posts: 2,251 ■■■■■■■■■□
    SephStorm wrote: »
    I assume by vulnerability testing you mean vulnerability scanning, which would diferentiate from pen-testing, in that pen-testing involves exploiting vulnerabilities found during vulnerability scanning.

    As for IDS, an IDS signature will detect a known attack, such as a port scan or certain types of traffic, whereas behavior based IDS will detect changes from a baseline. i.e. if a system was only used for web traffic suddenly started sending email traffic, that would be a deviation from the baseline, and generate an alert. Yes, you are seeing abnormal behavior, however, the sig IDS is detecting BASED on the signature, not the behavior.

    /end of thread. lol GJicon_thumright.gif
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2022 Goals:
    Certs: EnCE (Phase 1 - Passed, Phase 2 - awaiting results), eCPTXv2 (in progress), SC-300 (in progress), AZ-500, SC-100
    Course: BC Security - Empire Operations 1 (completed), Zero Point Security - CRTO (course completed)
Sign In or Register to comment.