Information security “vulnerability” is a mistake in software that can be directly used by a hacker to gain access to a system or network. A mistake is considered a vulnerability if it allows an attacker to use it to violate a reasonable security policy for that system (this excludes excluding entirely “open” security policies in which all users are trusted, or where there is no consideration of risk to the system). Vulnerability is a state in a computing system (or set of systems) that either:
– allows an attacker to execute commands as another user
– allows an attacker to access data that is contrary to the specified access restrictions for that data
– allows an attacker to pose as another entity
– allows an attacker to conduct a denial of service
An information security “exposure” is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
Penetration testing is an authorized security evaluation of a network or computer by actively probing the system and exploiting any found vulnerabilities.
Penetration testing, also known as security assessment, is used to validate the security of a network. A thorough test of perimeter defences and access policies provides a level of practical assurance where an organization is doing things right and guidance in the areas where it needs improvement. It is a way to defend an organization’s information assets by preventing financial loss and demonstrating due diligence.