What is Vulnerability Assessment ?
A vulnerability is a weakness in the web and system application which can be an Following
–implementation bug
–a design flaw
that allows an attacker to cause harm to the authentic use of the web application and get the all the data of the which will be Uploaded or get the full control of the website .
Vulnerability are the potential risk for the system. Attacker uses these vulnerability to exploit the system and get unauthorised access and information. Vulnerabilities are big flaw in system security and Information assurance. A vulnerability free Network can provide more Infosec and system security. Though it is almost impossible to have 100% vulnerability free system, but by removing as many vulnerabilities as possible, we can increase system security. The need of Vulnerability Assessment and Penetration Testing is usually underestimated till now. It is just consider as avery important point in the oraganisation . By using regular and efficient Vulnerability Assessment, we can reduce substantial amount of risk to be attacked and have more secured systems. In this paper we describe Vulnerability Assessment and Penetration Testing as an important Cyber Defence Technology. By using VAPT as a Cyber Defence Technology we can remove vulnerabilities from our system and reduce possibility of cyber-attack. We explained various techniques of Vulnerability Assessment and Penetration Testing. We described complete life cycle of VAPT for proactive defence. This will also provide complete process how to use VAPT as a cyber-defence technology
Vulnerability Assessment VS Penetration Testing
Vulnerability Assessment and Penetration Testing is a step by step process. Vulnerability assessment is the process of scanning the system or software or a network to find out the weakness and loophole in that. These loopholes can provide backdoor to attacker to attack the victim. A system may have access control vulnerability, Boundary condition vulnerability, Input validation vulnerability, Authentication Vulnerabilities, Configuration Weakness Vulnerabilities, and Exception Handling Vulnerabilities etc. Penetration testing is the next step after vulnerability assessment. Penetration testing is to try to exploit the system in authorised manner to find out the possible exploits in the system. In penetration testing, the tester have authority to do penetration testing and he intently exploit the system and find out possible exploits.
Life Cycle at VAPT
Vulnerability Assessment and Penetration Testing is a total 9 step process 7 8. These steps are shown in Fig. 1. First of all tester have to decide the scope of the assignment (Black/grey/white box). After deciding the scope, the tester gets information about the operating system, network, and IP address in reconnaissance step. After this tester use various vulnerability assessment technique (explained further) on the testing object to find out vulnerabilities. Then tester analyses the founded vulnerability and make plan for penetration testing. Tester uses this plan to penetrate the victim’s system. After penetrating the system, tester increases the privilege in the system. In result analysis step, tester analyses the all results and devise recommendation to resolve the vulnerability from the system. All these activities are documented and sent to management to take suitable action. After these all step, the victim’s system and its program get affected and altered. In cleanup step we restore the system in previous state as it was before VAPT process was started.
Fig. 1. Vulnerability Assessment and Penetration Testing Life cycle
Vulnerability Assessment and Penetration Testing is a total 9 step process 7 8. These steps are shown in Fig. 1. First of all tester have to decide the scope of the assignment (Black/grey/white box). After deciding the scope, the tester gets information about the operating system, network, and IP address in reconnaissance step. After this tester use various vulnerability assessment technique (explained further) on the testing object to find out vulnerabilities. Then tester analyses the founded vulnerability and make plan for penetration testing. Tester uses this plan to penetrate the victim’s system. After penetrating the system, tester increases the privilege in the system. In result analysis step, tester analyses the all results and devise recommendation to resolve the vulnerability from the system. All these activities are documented and sent to management to take suitable action. After these all step, the victim’s system and its program get affected and altered. In cleanup step we restore the system in previous state as it was before VAPT process was started.
Vulnerability Assessment Vs Penetration Testing
Vulnerability Assessment & Penetration Testing Techniques
Vulnerability Assessment technique
-
- Static analysis
- Manual Testing
- Automated Testing
- Fuzz testing
Penetration testing techniques
-
- Black box testing
- Grey box testing
- White box testing
Vulnerability Assessment & Penetration Testing Techniques
After getting information, attacker perform vulnerability assessment on the victim’s network/system and get vulnerability list
Vulnerability Assessment and Penetration Testing Tools
There are many open source/premium VAPT tools available in the market. Every tool have its expertise and limitation. In Table 1 we have listed Top 10 VAPT tools, their usage and the operating system on which they are compatible. These make the VAPT process fast and more accurate to assess and exploit vulnerability. You can find the all the course which can make you learn these things click here.
Table 1. TOP 10 Vulnerability Assessment and Penetration testing Tools
| 1 | Qualysgaurd | Vulnerability Scanner and Exploit |
| 2 | W3af | Vulnerability Scanner |
| 3 | Accunetix | Vulnerability Scanner and Exploit |
| 4 | LanGuard | Vulnerability Scanner and Exploit |
| 5 | Nexpose | Vulnerability Scanner and Exploit |
| 6 | Metasploit | Vulnerability Scanner and Exploit |
| 7 | Nessus | Vulnerability Scanner and Exploit |
| 8 | Kali linux | Collection of various Hacking tools |
| 9 | Burp Suite | Web Vulnerability Scanner |
| 10 | OpenVAS | Entire Vulnerability management lifecycle |
Conclusion and Future Work
In this paper we explained how Vulnerability Assessment and Penetration Testing can be used as an effective cyber defence technology. We described why VAPT should be made a compulsory activity for cyber defence. We explained the complete life cycle of VAPT, prevalent VAPT techniques and top 15 vulnerability assessment tools. This paper provide complete overview of Vulnerability Assessment and Penetration Testing, and its use as a cyber defence technology. This paper clearly explain necessity to increase use of VAPT for complete system security. This paper would be very helpful for future researchers to get complete knowledge of VAPT process, tools, techniques and its use as a cyber-defence technology. It would be helpful to develop new VAPT techniques and tools. This paper state VAPT as a powerful Cyber defence technology. Compulsory VAPT testing can stop cyber-attack cases and provide strengthen system security.
HOW ROOMAN TECHNOLOGY CAN HELP YOU :
As Rooman Technologies provide training on number of the technologies like Vulnerability assessment, Ethical hacking, Penetration testing, RHCSA (Linux Server Admin),
Blog By –
Gaurav Sharma
Cyber Security Expert, Ethical Hacker