Vulnerability assessments may be broken down into one of two types:
Outside looking in and inside looking
When performing an outside looking in vulnerability assessment, you
are attempting to compromise your systems from the outside. Being
external to your company provides you with the cracker's viewpoint. You
see what a cracker sees — publicly-routable IP addresses, systems
on your DMZ, external interfaces of your
firewall, and more. DMZ stands for "demilitarized zone", which
corresponds to a computer or small subnetwork that sits between a
trusted internal network, such as a corporate private LAN, and an
untrusted external network, such as the public Internet.
Typically, the DMZ contains devices accessible to Internet traffic, such as Web (HTTP ) servers, FTP servers, SMTP (e-mail) servers and DNS servers.
When you perform an inside looking around vulnerability assessment,
you are somewhat at an advantage since you are internal and your status
is elevated to trusted. This is the viewpoint you and your co-workers
have once logged on to your systems. You see print servers, file
servers, databases, and other resources.
There are striking distinctions between these two types of
vulnerability assessments. Being internal to your company gives you
elevated privileges — more so than any outsider. Still today in
most organizations, security is configured in such a manner as to keep
intruders out. Very little is done to secure the internals of the
organization (such as departmental firewalls, user-level access
controls, authentication procedures for internal resources, and more).
Typically, there are many more resources when looking around inside as
most systems are internal to a company. Once you set yourself outside
of the company, you immediately are given an untrusted status. The
systems and resources available to you externally are usually very
Consider the difference between vulnerability assessments and
penetration tests. Think of a vulnerability
assessment as the first step to a penetration test. The information
gleaned from the assessment is used for testing. Whereas, the
assessment is checking for holes and potential vulnerabilities, the
penetration testing actually attempts to exploit the findings.
Assessing network infrastructure is a dynamic process. Security, both
information and physical, is dynamic. Performing an assessment shows an
overview, which can turn up false positives and false negatives.
Security administrators are only as good as the tools they use and the
knowledge they retain. Take any of the assessment tools currently
available, run them against your system, and it is almost a guarantee that
there are some false positives. Whether by program fault or
user error, the result is the same. The tool may find vulnerabilities
which in reality do not exist (false positive); or, even worse, the tool
may not find vulnerabilities that actually do exist (false
Now that the difference between a vulnerability assessment and
a penetration test is defined, take the
findings of the assessment and review them carefully before conducting a
penetration test as part of your new best practices approach.
Attempting to exploit vulnerabilities on
production resources can have adverse effects to the productivity and
efficiency of your systems and network.
The following list examines some of the benefits to performing
Creates proactive focus on information security
Finds potential exploits before crackers find them
Results in systems being kept up to date and patched
Promotes growth and aids in developing staff expertise
Abates Financial loss and negative publicity
To aid in the selection of tools for a vulnerability assessment, it
is helpful to establish a vulnerability assessment methodology.
Unfortunately, there is no predefined or industry approved methodology
at this time; however, common sense and best practices can act as a
What is the target? Are we looking at one server, or are
we looking at our entire network and everything within the network?
Are we external or internal to the company? The answers
to these questions are important as they help determine not only
which tools to select but also the manner in which they are
To learn more about establishing methodologies, refer to the