Vulnerability Assessment vs. Penetration Test

A VA is predominantly an automated process. Tools are used to scan a target, and the results are analysed to identify potential weaknesses. For instance, I am currently learning how to use the Nessus tool on Hack The Box as part of my preparation for the CPTS certification. Other popular tools include Nmap, Burp Suite and many others.

While VAs can reveal a broad range of vulnerabilities, such as outdated software or misconfigurations, the results can sometimes include false positives. Interpreting these scans can be difficult due to a vast amount of information. Fortunately, many tools categorise their findings to make the results easier to digest. However, a VA alone does not exploit vulnerabilities; that’s where a PT comes in.

A PT simulates real-world attacks to identify and exploit vulnerabilities discovered during the VA. These tests can be conducted in various ways, depending on the level of knowledge the testers have about the target:

Black/Grey Box Testing: Testers have little to no prior information about the target. This simulates an external attacker attempting to exploit vulnerabilities with limited knowledge.

White Box Testing: Testers have extensive or complete knowledge of the target. This is essentially an insider threat scenario, where a malicious actor uses internal knowledge to cause harm.

To maximize value, VAs and PTs should be used in conjunction with each other. VAs provide a broad understanding of potential weaknesses, while PTs delve deeper, simulating attacks to assess how these vulnerabilities can be exploited. There is no "one-size-fits-all" approach, each situation is unique and should be tailored to the specific needs of the organisation.

Always obtain explicit written permission before conducting any testing. Ensure all guidelines, rules of engagement, and scope are clearly defined and agreed upon by both the customer and the testing team.

Authentication vs Authorisation

The difference between authentication and authorisation may seem subtle, but it is critical in the world of cybersecurity. Misunderstanding these concepts could result in malicious actors gaining access to sensitive information and potentially bringing your company to its knees.

Authorisation is the process of granting specific permissions to approved users or systems, allowing them access to certain data or the ability to perform certain tasks. Not everyone in an organization needs access to all the information. Much like a "need-to-know" policy, infrastructure should be designed to ensure that users can only access what they are authorised to access.

Authentication on the other hand, is the process of verifying the identity of a user or system. For instance, if you have a lock on your phone, use online banking, or log in with a PIN or biometric data, you are authenticating yourself. In essence, you’re saying, “Hello, it’s me. Here’s my fingerprint and face to prove I am who I say I am.”

An example, after a decade of service in the military, I’ve become accustomed to being both authenticated and authorised daily. Every time I arrive at work, my personal pass is checked. This ensures two things: first, they authenticate me by verifying that the person presenting the pass matches the identity it represents. Once authenticated, I’m then authorized to enter the workplace.

If you've ever used Linux, one of the first commands you’ll likely encounter is ls -l. This command displays file and directory permissions (e.g., drwxr-xr-x). These permissions determine who can read, write, or execute files and should always be carefully maintained. Mismanaged permissions could provide an opening for attackers, exposing sensitive information or triggering alerts in firewalls and intrusion detection systems.

In cybersecurity, threats can arise from anywhere. Limiting the attack surface is essential to keeping systems secure.