Which of the following tests a number of security controls in the least invasive manner?
A. Vulnerability scan
B. Threat assessment
C. Penetration test
D. Ping sweep
Correct Answer: A
Section: Threats and Vulnerabilities
Vulnerability scanning has minimal impact on network resource due to the passive nature of the scanning.
A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk
assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates.
A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be
exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat
agents, such as malicious hackers.
Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of
the findings that an individual or an enterprise can use to tighten the network’s security.
B: A threat assessment is the assessment of all threats to a business, not just those related to IT. It is not used to test security controls in a network.
C: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test
(reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security
awareness and the organization’s ability to identify and respond to security incidents.
Penetration is considered ‘active’ because you are actively trying to circumvent the system’s security controls to gain access to the system as opposed to vulnerability scanning which
is considered passive and therefore the least invasive.
D: A ping sweep is the process of sending ICMP ping requests to all IP addresses in an IP subnet to see which addresses map to live hosts. It is not used to test security controls in a