Vulnerability

scanning vs.
penetration
testing.
Brian K. Ferrill, M.B.A.
Instructor, PACE-IT Program Edmonds Community College

Areas of Expertise Industry Certification

PC Hardware Network Design
Network User Training
Administration IT Troubleshooting
IT Project
ManagementSummary
Qualifications

Entrepreneur, executive leader, and proven

manger with 10+ years of experience turning
complex issues into efficient and effective
solutions.
Strengths include developing and mentoring
diverse workforces, improving processes,
analyzing business needs and creating the
solutions required with a focus on
technology.
Education
M.B.A., IT Management, Western Governors University
B.S., IT Security, Western Governors University

Page 2
Vulnerability scanning vs. penetration
testing.
PACE-IT.

Vulnerability scanning and

penetration testing.

Levels of testing.

Page 3
Vulnerability
scanning and
penetration
testing.
Vulnerability scanning vs. penetration
testing.

Page 4
Vulnerability scanning and penetration
testing.
Vulnerability scanning vs. penetration testing.

Vulnerability scanning is
usually conducted using
specialized applications in
an effort to find weaknesses
in a network.
It is usually conducted using protocol analyzers (also
called packet sniffers) and port scanners. These
applications can be used to determine which protocols
and services are being used on a network. Protocol
analyzers can also be used to determine which ports are
open on a network. This information can be used by
security experts to help harden the network against
attack.
Vulnerability scanning does not attempt to exploit any
weaknesses that are found. It only identifies them for the
security personnel.

Page 5
Vulnerability scanning and penetration
testing.
Vulnerability scanning vs. penetration testing.

Vulnerability scanning.
The purpose is to assess the configuration of systems
and networks to determine what can be done to
increase the level of security.
This is done passively by collecting information and
reporting on the information collected in a non-
intrusive manner.
The scan can help to identify different issues.
Lack of security controls.
Common misconfigurations (in applications and
devices).
Other vulnerabilities.
Two different types of vulnerability scans should be
conducted.
As an authorized usera credentialed scan should
be conducted from an administrative account.
As an unauthorized usera noncredentialed scan
should be conducted to determine what an
unauthorized user may find out about the system.
A false positive may be reported by vulnerability
scans.
Something reported as a vulnerability that isnt
actually one.
Page 6
Vulnerability scanning and penetration
testing.
Vulnerability scanning vs. penetration testing.

Penetration testing (or pen

testing) is actively seeking to
find vulnerabilities in
networks and systems that
can be exploited.
Once a weakness is found, the pen tester then attempts
to exploit the vulnerability. Many organizations use pen
testing as a means of increasing the security of their
organizations; however, hackers also use pen testing as a
means of finding networks and systems that they can
exploit.
As a result, every security expert must be sure to receive
explicit authorization to perform pen testing before
beginning the test. If such authorization is not obtained,
a security expert could face dire consequences.
Unauthorized pen testing is, in actuality, illegalas it is a
form of hacking.
Page 7
Vulnerability scanning and penetration
testing.
Vulnerability scanning vs. penetration testing.

Penetration testing (pen testing).

The purpose is to assess the security of a system or
network by actually using the same methods that a
hacker would use to breach security.
The test can be used to verify that a threat exists.
Can also confirm that the threat doesnt exist.
The test seeks to actively test and bypass any security
controls that may be present.
It is designed to exploit any vulnerabilities that may be
present on the system or network.
Unauthorized pen testing may lead to legal issues.

Page 8
Levels of testing.
Vulnerability scanning vs. penetration
testing.

Page 9
Levels of testing.
Vulnerability scanning vs. penetration testing.

It is vital that, when security

tests are conducted on
systems and networks, the
testing be conducted at a
variety of levels.
The first level of security testing should be done at the
white box level. White box testing is when the person
conducting the test has the exact details of the system
or network; the tester has intimate knowledge of what is
present and how it is configured.
The next level of security testing is done at the gray box
level. With gray box testing, the tester has an
intermediate knowledge of the how the system or
network is configured.
The final level of security testing is done at the black box
level. With black box testing, the tester (usually a
security expert) is given no prior knowledge of the Page 10
configuration or what is present.
What was covered.
Vulnerability scanning vs. penetration testing.

Topic Summary
Vulnerability scanning is the passive collection of information on
the configuration of systems and networks in an effort to
determine how security might be improved. Penetration testing is
Vulnerability scanning using attack methods in an effort to breach security. The

and penetration testing. information gathered from pen testing is used to increase the
security of systems and networks. The pen tester must have
explicit permission to perform the testing, because without the
permission it is actually an illegal action.

To ensure a thorough assessment of security, testing should be

conducted at different levels. The levels of testing should include:
white box testingthe tester has intimate knowledge of the
Levels of testing. system or network, gray box testingthe tester has an
intermediate knowledge of the system or network, and black box
testingthe tester has no knowledge of the system or network.

Page 11
THANK YOU!
Page 12
This workforce solution was 100 percent funded by a $3 million grant
awarded by the U.S. Department of Labor's Employment and Training
Administration. The solution was created by the grantee and does not
necessarily reflect the official position of the U.S. Department of Labor. The
Department of Labor makes no guarantees, warranties, or assurances of any
kind, express or implied, with respect to such information, including any
information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued
availability or ownership. Funded by the Department of Labor, Employment
and Training Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and
services are available upon request to individuals with disabilities. For those
that are hearing impaired, a video phone is available at the Services for
Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check
www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for
more information about the PACE-IT program. For any additional special
accommodations needed, call the SSD office at 425.640.1814. Edmonds
Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or
veteran status; or genetic information in its programs and activities.