Network Vulnerability Knowledge

Term Description
Risk Analysis
  • This is a discipline in which analysts evaluate the risk posed by vulnerabilities to a specific organization.
  • A risk analysis includes assessment of the likelihood of attacks, identifies types of likely threat actors, and evaluates the impact of successful exploits on the organization.
Vulnerability Assessment
  • This test employs software to scan internet facing servers and internal networks for various types of vulnerabilities.
  • These vulnerabilities include unknown infections, weaknesses in web-facing database services, missing software patches, unnecessary listening ports, etc.
  • Tools for vulnerability assessment include the open source OpenVAS platform, Microsoft Baseline Security Analyzer, Nessus, Qualys, and FireEye Mandiant services.
  • Vulnerability assessment includes, but goes beyond, port scanning.
Penetration Testing
  • This type of test uses authorized simulated attacks to test the strength of network security.
  • Internal personnel with hacker experience, or professional ethical hackers, identify assets that could be targeted by threat actors.
  • A series of exploits is used to test security of those assets.
  • Simulated exploit software tools are frequently used.
  • Penetration testing does not only verify that vulnerabilities exist, it actually exploits those vulnerabilities to determine the potential impact of a successful exploit.
  • An individual penetration test is often known as a pen test.
  • Metasploit is a tool used in penetration testing.
  • CORE Impact offers penetration testing software and services.

Common Vulnerabilities and Exposures (CVE)

cve.mitre.org

https://www.cvedetails.com/cve/CVE-2005-1943/

National Vulnerability Database (NVD)

nvd.NIST.gov

Leave a Reply