From Vulnerability Management to Combined Vulnerability Management to Penetration Testing

Vulnerability

“A flaw in a system that, if leveraged by an attacker, can potentially impact the security of said system”

Also: security bug, security flaw, security hole

Exploit

“To use or manipulate to one’s advantage”

“A security hole or an instance of taking advantage of a security hole”

Proof of Concept Exploit

“A software program or tool that exploits vulnerability with the sole purpose of proving its existence”

Remote Exploit

“A program or tool that does not require legitimate access to the vulnerable system in order to exploit the security flaw”

Exploit Code

“A software program or tool developed to exploit a vulnerability in order to accomplish a specific goal”

Possible goals: denial of service, arbitrary execution of code, etc

Exploit Attack Vector

“The means used by the exploit code to trigger the vulnerability on the target system”

Why Talk About Exploit Code

The classic attack uses exploit code. Once a target (be it a server or a desktop) is compromised, the attacker uses it as a vantage point to penetrate the corporate net and to perform further attacks as an internal user

Legitimate Uses for Exploits

Penetration Testing

Test and fine-tune firewall configuration

Test and fine-tune IDS configuration

Test incident response capabilities

Vulnerability management

EXPLOIT CODE AND PENETRATION TESTING

Please note that both the Attack & Penetration phase and the Privilege Escalation phase uses exploit code

THE VULNERABILITY MANAGEMENT PROCESS

(Vulnerability management, i.e., scan and patch strategy)

IMPROVED VULNERABILITY MANAGEMENT PROCESS

(Vulnerability management + Exploit code)

The attack phase used exploit code

AN ADDITIONAL IMPROVEMENT

Both the attack and the verify phases use exploit code

VULNERABILITY MANAGEMENT AND PENETRATION TESTING COMBO

analytics