Vulnerability assessments may be broken down into one of two
types: Outside looking in and inside looking around.
When performing an outside looking in vulnerability assessment,
you are attempting to compromise your systems from the outside.
Being external to your company provides you with the cracker's
viewpoint. You see what a cracker sees — publicly-routable IP
addresses, systems on your DMZ, external
interfaces of your firewall, and more. DMZ stands for
"demilitarized zone", which corresponds to a computer or small
subnetwork that sits between a trusted internal network, such as a
corporate private LAN, and an untrusted external network, such as
the public Internet. Typically, the DMZ contains devices accessible
to Internet traffic, such as Web (HTTP ) servers, FTP servers, SMTP
(e-mail) servers and DNS servers.
When you perform an inside looking around vulnerability
assessment, you are somewhat at an advantage since you are internal
and your status is elevated to trusted. This is the viewpoint you
and your co-workers have once logged on to your systems. You see
print servers, file servers, databases, and other resources.
There are striking distinctions between these two types of
vulnerability assessments. Being internal to your company gives you
elevated privileges — more so than any outsider. Still today
in most organizations, security is configured in such a manner as
to keep intruders out. Very little is done to secure the internals
of the organization (such as departmental firewalls, user-level
access controls, authentication procedures for internal resources,
and more). Typically, there are many more resources when looking
around inside as most systems are internal to a company. Once you
set yourself outside of the company, you immediately are given an
untrusted status. The systems and resources available to you
externally are usually very limited.
Consider the difference between vulnerability assessments and
penetration tests. Think of a
vulnerability assessment as the first step to a penetration test.
The information gleaned from the assessment is used for testing.
Whereas, the assessment is checking for holes and potential
vulnerabilities, the penetration testing actually attempts to
exploit the findings.
Assessing network infrastructure is a dynamic process. Security,
both information and physical, is dynamic. Performing an assessment
shows an overview, which can turn up false positives and false
Security administrators are only as good as the tools they use
and the knowledge they retain. Take any of the assessment tools
currently available, run them against your system, and it is almost
a guarantee that there are some false positives. Whether by program
fault or user error, the result is the same. The tool may find
vulnerabilities which in reality do not exist (false positive); or,
even worse, the tool may not find vulnerabilities that actually do
exist (false negative).
Now that the difference between a vulnerability assessment and a
penetration test is defined, take the findings of the assessment
and review them carefully before conducting a penetration test as
part of your new best practices approach.
Attempting to exploit vulnerabilities on production resources
can have adverse effects to the productivity and efficiency of your
systems and network.
The following list examines some of the benefits to performing
Creates proactive focus on information security
Finds potential exploits before crackers find them
Results in systems being kept up to date and patched
Promotes growth and aids in developing staff expertise
Abates Financial loss and negative publicity
To aid in the selection of tools for a vulnerability assessment,
it is helpful to establish a vulnerability assessment methodology.
Unfortunately, there is no predefined or industry approved
methodology at this time; however, common sense and best practices
can act as a sufficient guide.
What is the target? Are we looking at one
server, or are we looking at our entire network and everything
within the network? Are we external or internal to the company?
The answers to these questions are important as they help determine
not only which tools to select but also the manner in which they
To learn more about establishing methodologies, refer to the