Ethical hacking: What is vulnerability identification?
Introduction
In this article, we will discuss vulnerability identification, discussing what it means and how best to conduct it. We’ll also look at how organizations take the initiative of publicizing identified security issues using different approaches. Finally, we’ll discuss one approach that can be taken in identifying vulnerabilities and the different levels of occurrence, impact and overall risk.
What is a vulnerability?
A vulnerability is a flaw that could lead to the compromise of the confidentiality, integrity or availability of an information system. Vulnerability identification involves the process of discovering vulnerabilities and documenting these into an inventory within the target environment.
Special care should be taken so as not to go out of scope of the allowed targets to identify vulnerabilities on. If care is not taken, there are consequences that can follow: for instance, disruption of service, breach of trust between yourself and the client or, worst of all, legal action against you by the client.
In order for vulnerabilities to be identified, they need to be accurately mapped. There are vulnerability lists that make this easy to do.
What are vulnerability lists?
A vulnerability list is a documented listing of common vulnerabilities. The documented vulnerabilities are usually assigned an identification number, a description and public references. These vulnerabilities have been found to occur commonly and often lead to the exploitation of systems on the internet.
There are various authentic sources of documented vulnerabilities, including the following:
- Databases: These databases include various information on vulnerabilities. For instance, information might include security checklist references, security-related software flaws, misconfigurations, product names and impact metrics. The following are some examples:
- NVD by NIST: This is a repository managed by the U.S. government
- CVE: This is managed by the MITRE Corporation and sponsored by the U. (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Lester Obbayi. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/nCQ8H2ifWLA/
