Risk is used to determine organizational priorities. You can use the equation Risk = Likelihood × Impact, to rate risks based on how often they occur and how much harm they would result in.
Threats leverage vulnerabilities via attack vectors, resulting in business or technical impact. The relationship and differences between risks, threats, and vulnerabilities is important to remember: a risk is the potential that a threat will exploit vulnerabilities of a system, network, or other asset, resulting in harm. A threats is an actor that might exploit a vulnerability.
A broad range of tools can be used for vulnerability assessment, including protocol analyzers, sniffers, port scanners, and vulnerability scanners. Protocol analyzers and sniffers are used to monitor traffic sent by other tools, and to look at responses. Port scanners and vulnerability scanners are used to actively scan systems and devices.
The reasons for conducting vulnerability scans including identifying vulnerabilities, verifying security controls, checking for missing controls, and finding misconfigurations.
Port scans identify accessible services, operating system versions, and other basic information about a system. Vulnerability scans check for service versions and other information about a system and compare that data to a list of known vulnerabilities. Penetration tests often take advantage of both by first scanning for open ports and then targeting specific services.
Honeypots and honeynets are security tools that invite attackers to break in, and allow security professionals to learn their techniques and tools by capturing them.
Organizations use assessment techniques such as baseline reporting, which checks current settings against those defined in a security baseline or template; and code review, which explores the source code of an application to ensure that it doesn’t contain bugs, mistakes, or other flaws to monitor for new vulnerabilities and risks to their systems and software.
Design and architecture review, which takes advantage of knowledge of how services, networks, and systems are put together to determine whether they are vulnerable. This also helps to assess the attack surface, which is the part of the design that is accessible to attackers.
Penetration tests are a hands-on way to test actual vulnerabilities. Penetration tests typically follow a process that starts with authority to conduct a test, then moves through setting a scope, selecting tools, and then performing a penetration test. They typically conclude with a report, followed by application of controls or fixes to identified issues.
Penetration test view, include black box penetration testing, which provides no data to the tester; gray box testing, which restricts available information; and white box testing, which provides full detail and visibility of the environment to those who are testing it.