文档章节

漏洞评估和渗透测试的区别

Cnlouds
 Cnlouds
发布于 2014/07/21 18:54
字数 1154
阅读 165
收藏 1

tigerteam

There are many views on what constitutes a Vulnerability Assessment versus a Penetration Test. The main distinction, however, seems to be that some believe a thorough Penetration Test involves identifying as many vulnerabilities as possible, while others feel that Penetration Tests are goal-oriented and are mostly unconcerned with what other vulnerabilities may exist.

I am in the latter group, and what follows is my argument for why you should be too.

Language Matters

Language is important, and we have two terms for a reason. We already have an (aptly named I might add) security test for compiling a complete list of vulnerabilities, i.e. a Vulnerability Assessment. If there isn’t a clear, communicable distinction between this test type and a penetration test then we shouldn’t be using separate terms. Such a distinction does exist, however, and it’s a crucial one.

Clarified Definitions

brokenchain

Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have issues and simply need help identifying and prioritizing them.

The more issues identified the better, so naturally a white box approach should be embraced when possible. The deliverable for the assessment is, most importantly, a prioritized list of discovered vulnerabilities (and often how to remediate).

Penetration Tests are designed to achieve a specific, attacker-simulated goal and should be requested by customers who are already at their desired security posture. A typical goal could be to access the contents of the prized customer database on the internal network, or to modify a record in an HR system.

The deliverable for a penetration test is a report of how security was breached in order to reach the agreed-upon goal (and often how to remediate).

A Physical Analog

sealteam

A good analog for this is a Tiger Team working for the government, like Richard Marcinko used to run with Red Cell. Think about what his missions were: things like gain control of a nuclear submarine and bring it out into the bay.

So imagine that he’s getting debriefed after a successful mission where he broke in through the east fence, and someone were to ask him about the security of the western side of the building. The answer would be simple:

We didn’t even go to the west side. We saw an opening on the east-facing fence and we went after our target.

If the person doing the debrief were to respond with, “You didn’t check the other fences? What kind of security test is it where you didn’t even check all the fences?”, the answer would be equally direct:

Listen, man, I could have come in a million ways. I could have burrowed under the fences altogether, parachuted in, got in the back of a truck coming in–whatever. You told me to steal your sub, and that’s what I did. If you wanted a list of all the different ways your security sucks, you should have hired an auditor–not a SEAL team.

The Question of Exploitation

Another mistake people make when discussing vulnerability assessments vs. penetration tests is to pivot immediately to exploitation. The basic narrative is:

Finding vulnerabilities is a vulnerability assessment, and exploiting them is a penetration test.

This is incorrect.

Exploitation can be imagined as a sliding bar between none and full, which can be leveraged in both vulnerability assessments and penetration tests. Although most serious penetration tests lean heavily towards showing rather than telling (i.e. heavy on the exploitation side), it’s also the case that you can often show that a vulnerability is real without full exploitation.

A penetration testing team may be able to simply take pictures standing next to the open safe, or to show they have full access to a database, etc., without actually taking the complete set of actions that a criminal could. And vulnerability assessments can slide along this scale as well for any subset of the list of issues discovered.

This could be time consuming, but exploitation doesn’t, by definition, move you out of the realm of vulnerability assessment. The only key attributes of a VA vs. PT are list-orientation vs. goal-orientation, and the question of exploitation is simply not part of that calculation.

The Notion that Penetration Tests Include Vulnerability Assessments

It’s also inaccurate to say that penetration tests always include a vulnerability assessment. Recall that penetration tests are goal-based, meaning that if you achieve your goal then you are successful. So, you likely perform something like a vulnerability assessment to find a good vuln to attack during a pentest, but you could just as easily find a vuln within 20 minutes that gets you to your goal.

It is accurate to say, in other words, that penetration tests rely on finding a one or more vulnerabilities to take advantage of, and that people often use some sort of process to systematically discover vulns for that purpose, but because they stop when they have what they need, and don’t give the customer a complete and prioritized list of vulnerabilities, they didn’t actually do a vulnerability assessment.

Summary

Vulnerability Assessment(漏洞评估)
Customer Maturity Level: Low to Medium. Usually requested by customers who already know they have issues, and need help getting started.

客户成熟度:中低水平。客户需求:他们存在那些问题,该怎么开始
Goal: Attain a prioritized list of vulnerabilities in the environment so that remediation can occur.
Focus: Breadth over depth.

目标:获知在当前环境下的脆弱性优先级列表,以便发生时可以快速修复。

重点:广度重于深度

Penetration Test(渗透测试)
Customer Maturity Level: High. The client believes their defenses to be strong, and wants to test that assertion.

客户成熟度:高。客户对自己的安全有信心,想通过测试验证下。
Goal: Determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.

目标:通过测试确定一个成熟的安全架构是否能够抵御来自高级黑客的攻击。
Focus: Depth over breadth.

重点:深度重于广度

Via:@DanielMiessler

© 著作权归作者所有

Cnlouds
粉丝 13
博文 95
码字总数 56136
作品 0
海淀
程序员
私信 提问
渗透测试工作流程渗透测试类型法律边界

渗透测试工作流程渗透测试类型法律边界 渗透测试工作流程 渗透测试与其它评估方法不同。通常的评估方法是根据已知信息资源或其它被评估对象,去发现所有相关的安全问题。渗透测试是根据已知可...

大学霸
2015/03/26
134
0
搭建渗透测试环境选自KaliLinux无线网络渗透测试教程

第1章搭建渗透测试环境 许多提供安全服务的机构会使用一些术语,如安全审计、网络或风险评估、以及渗透测试。这些术语在含义上有一些重叠,从定义上来看,审计是对系统或应用的量化的技术评估...

大学霸
2015/01/05
534
0
利用数据库漏洞扫描评估数据库安全性 6 渗透攻击

前面的文章中,我们分别测试了数据库漏洞扫描系统的授权扫描、弱口令扫描、非授权扫描,今天我们测试Oracle数据库下的“渗透攻击”,由于此模块具备破坏性,所以尽量不要在实际环境中测试,游...

网路游侠
2013/03/19
0
0
什么是网站系统安全的渗透检测?

建设网站系统需要做的工作很多,比如架构,模板的确认,还有各个安全问题的考虑,比如漏洞,木马等问题的渗透测试。而对于渗透这个词很多人都没怎么接触过。相信最近追热播亲爱的,热爱的这部...

墨者安全
07/22
0
0
户如何获得渗透服务---步骤与效果

用户如何获得渗透服务 ----渗透服务实施步骤与渗透效果分级 Jack zhai 渗透服务的步骤; 渗透服务需要模拟入侵与攻击,因此不同于其它的信息安全服务,其过程控制要严格得多。在确保用户业务...

余二五
2017/11/09
0
0

没有更多内容

加载失败,请刷新页面

加载更多

java通过ServerSocket与Socket实现通信

首先说一下ServerSocket与Socket. 1.ServerSocket ServerSocket是用来监听客户端Socket连接的类,如果没有连接会一直处于等待状态. ServetSocket有三个构造方法: (1) ServerSocket(int port);...

Blueeeeeee
今天
6
0
用 Sphinx 搭建博客时,如何自定义插件?

之前有不少同学看过我的个人博客(http://python-online.cn),也根据我写的教程完成了自己个人站点的搭建。 点此:使用 Python 30分钟 教你快速搭建一个博客 为防有的同学不清楚 Sphinx ,这...

王炳明
昨天
5
0
黑客之道-40本书籍助你快速入门黑客技术免费下载

场景 黑客是一个中文词语,皆源自英文hacker,随着灰鸽子的出现,灰鸽子成为了很多假借黑客名义控制他人电脑的黑客技术,于是出现了“骇客”与"黑客"分家。2012年电影频道节目中心出品的电影...

badaoliumang
昨天
14
0
很遗憾,没有一篇文章能讲清楚线程的生命周期!

(手机横屏看源码更方便) 注:java源码分析部分如无特殊说明均基于 java8 版本。 简介 大家都知道线程是有生命周期,但是彤哥可以认真负责地告诉你网上几乎没有一篇文章讲得是完全正确的。 ...

彤哥读源码
昨天
15
0
jquery--DOM操作基础

本文转载于:专业的前端网站➭jquery--DOM操作基础 元素的访问 元素属性操作 获取:attr(name);$("#my").attr("src"); 设置:attr(name,value);$("#myImg").attr("src","images/1.jpg"); ......

前端老手
昨天
7
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部