A vulnerability assessment is a process used to discover weaknesses in a system. The assessment will then prioritize the vulnerabilities to determine which weaknesses are relevant.

Vulnerability assessments can be performed internally or externally. An internal assessment attempts to discover weaknesses from within the network, and an external assessment attempts to discover what attackers outside the company may see.

A vulnerability assessment often starts by gathering information, using vulnerability scanners to perform network reconnaissance. A vulnerability assessment is similar to an enemy scouting out a target to evaluate it and identify the best method of attack. A vulnerability assessment may have several goals, such as:

• Identifying IP addresses—Ping scanner tools identify which IP addresses are in use. When a system responds to a ping, it is operational with that IP address.
• Identifying names—For computers on the Internet, “Whois” tools can be used to identify the name of a computer from the IP address.
• Identifying operating systems—A fingerprinting tool can identify which operating system is running on an IP address. The tool sends traffic to and receives traffic from the system and then analyzes the traffic to determine which operating system is running. For example, a Microsoft operating system includes unique bits in Internet Control Message Protocol (ICMP) traffic. These bits verify that it is a Microsoft product. Similarly, some UNIX and Linux operating systems include bits in ICMP packets that identify those operating systems.
• Identifying open ports—A port scan identifies open ports, which identify which protocols and what services are running. For example, if port 80 is open, the Hypertext Transfer Protocol (HTTP) is running on the system, which indicates it is a web server.
• Identifying weak passwords—A password cracker determines the password for one or more accounts. The success of the password cracker largely depends on the strength of the password, which means that a password cracker can discover weak passwords.
• Capturing data—Data transferred over the network can be captured and analyzed. If it has been transferred in cleartext or is unencrypted, it can be read.

Several tools are available for performing vulnerability assessments. Some tools perform only a specific function, such as translating an IP address to a name. Other tools include multiple functions, such as Microsoft Office, which includes a full suite of applications.

Some of the commonly used vulnerability assessment tools are:

• Nmap—Nmap is a free network mapping tool. It combines a ping scanner, to discover IP addresses, with a port scanner, to determine open ports. It then uses other techniques to discover the operating system and other details of the remote system.
• Nessus—Nessus is a commercial product that provides a full suite of tools. As an example, it can run Nmap or one of several other port scanners, can detect common vulnerabilities in the configuration of a system, and includes password crackers. Tenable Network Security sells Nessus, and the company regularly improves the product by publishing new tools in the form of snap-ins.
• SAINT—SAINT is an acronym for System Administrator’s Integrated Network Tool. Just as Nessus includes a full suite of vulnerability tools, so does SAINT. Saint Corporation sells SAINT and other security tools.

An exploit assessment attempts to discover what vulnerabilities an attacker can exploit. These assessments are also referred to as penetration tests. An exploit assessment is usually started with a vulnerability assessment. After the weaknesses have been discovered, then the exploit assessment is attempted.

A significant difference exists between an exploit assessment and a vulnerability assessment. Specifically, an exploit assessment is intrusive; its goal is to test the exploit. If the exploit assessment is successful, it can disrupt operations. With this in mind, performing exploit assessments should be done cautiously and never without explicit authorization. Accidentally stopping a production service could bring someone’s exploit assessment career to an abrupt end.