Vulnerability assessments and penetration tests have their place in a vulnerability management process. However, both are monumental tasks that should not be entered into lightly. It's vital for security practitioners to know when one is more suitable than the other and how it will mitigate threats. Take this quiz written by Shon Harris, CISSP and president of Logical Security, to test your knowledge of the vulnerability management process. After you have written down your answers, click on Answer for an explanation of the correct answer.
1.) What is the difference between a network vulnerability assessment and a penetration test?
A. A penetration test identifies running services, and vulnerability assessments provide a more in-depth understanding of vulnerabilities.
B. A penetration test enumerates resources, and a vulnerability assessment enumerates vulnerabilities.
C. A penetration test exploits vulnerabilities, and a vulnerability assessment finds vulnerabilities.
D. They are one in the same.
2.) When is it better to perform a vulnerability assessment versus a penetration test?
A. It is necessary to perform them together.
B. When you seek a larger overview of the environment, versus a smaller more focused view.
C. Penetration tests are full of false positives and should not be used.
D. Penetration tests are potentially damaging to devices and should not be used.
3.) What is the best approach for choosing a vulnerability assessment tool for your environment?
A. A statistical analysis of your environment's software and network traffic should be mapped to the functionality of the different products.
B. Your current business drivers should be understood, and they will dictate the type of assessment tool you need.
C. Research third-party test results.
D. An assessment of your physical security, personnel security or company's culture will dictate the type of assessment tool you need.
4.) Why is there danger in having a false sense of security when running periodic vulnerability assessments?
A. Vulnerability assessments cannot detect new attacks.
B. These assessments are meaningless without continual penetration tests.
C. Organizations are secure if they are running periodic vulnerability assessments.
D. Vulnerability assessments do not detect vulnerable services that are running.
5.) We continually hear that applying patches and proper patch management is the answer to a majority of our security woes. Why is this illogical?
A. Patching always opens other vulnerabilities.
B. Patching continually causes interoperability issues.
C. Patching only deals with known software flaws.
D. Patching can address misconfiguration issues as needed.
6.) How do mitigation tools help companies?
A. They contain risk management methodologies and take customers through the risk analysis process.
B. They allow customers to safely exploit vulnerabilities.
C. They identify vulnerabilities that scanners do not.
D. They provide a graphical representation of assets and their values.
7.) A host-based vulnerability assessment tool is...
A. An agent-based product that watches for changes to critical files and network traffic.
B. An agent-based product that reviews configurations and file system settings.
C. An agent-based product that reviews settings, and implements Trojan horses and user errors.
D. An agent-based product that collects log data and sends it to a network-based IDS.
8.) What is the difference between a passive and active vulnerability assessment tool?
A. A passive tool sends packets to its targets and reviews the results. An active product monitors traffic and activity.
B. An active tool sends packets to its targets and reviews the results. A passive product monitors traffic and activity.
C. They are one in the same.
D. A passive product is more intrusive than an active product.
9.) Why is it important to run a vulnerability scan before and after applying a new patch?
A. To determine whether the patch is really needed in the environment.
B. To ensure that the right patch is applied.
C. To identify the baseline before and after a patch is applied.
D. To capture a new baseline representing the current vulnerabilities.
10.) Why should your security and technology teams have a pre-defined process for responding to new vulnerabilities?
A. If the process is not defined, standard reactions cannot be guaranteed.
B. Response procedures are required by all regulations.
C. Standard response procedures are impossible. Each vulnerability is different, which requires a different process.
D. It is the only way to ensure that a company is in compliance with their legal requirements.
BONUS: In order, what are the five general steps of an intrusion?
A. Reconnaissance, scanning, gaining access, maintaining access, covering tracks
B. Reconnaissance, gaining access, maintaining access, covering tracks, scanning
C. Recovering, gaining access, maintaining access, covering tracks, scanning
D. Reconnaissance, maintaining access, gaining access, covering tracks, scanning
Was the quiz too easy? Too hard? Let me know what you thought of the quiz and how you scored. Your comments will help us build future quizzes and learning tools. -- Crystal Ferraro, Editor
This was first published in January 2005