Jane has recently implemented a new network design at her organization and wishes to passively identify
security issues with the new network. Which of the following should Jane perform?

A.
Vulnerability assessment

B.
Black box testing

C.
White box testing

D.
Penetration testing

Explanation:
Vulnerability scanning has minimal impact on network resources due to the passive nature of the
scanning.A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and
vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary
actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as
missing patches or security updates.
A vulnerability scan is the automated process of proactively identifying security vulnerabilities of
computing systems in a network in order to determine if and where a system can be exploited and/or
threatened. While public servers are important for communication and data transfer over the Internet,
they open the door to potential security breaches by threat agents, such as malicious hackers.
Vulnerability scanning employs software that seeks out security flaws based on a database of known
flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an
individual or an enterprise can use to tighten the network’s security.
Incorrect Answers:
B: Black-box testing is a method of software testing that examines the functionality of an application
without peering into its internal structures or workings. This method of test can be applied to virtually
every level of software testing: unit, integration, system and acceptance. It typically comprises most if not
all higher level testing, but can also dominate unit testing as well. Black-box testing is used for testing
applications. It is not used to identify security issues in a network.
C: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and
structural testing) is a method of testing software that tests internal structures or workings of an
application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal
perspective of the system, as well as programming skills, are used to design test cases. The tester chooses
inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to
testing nodes in a circuit, e.g. in-circuit testing (ICT).
White-box testing can be applied at the unit, integration and system levels of the software testing
process. Although traditional testers tended to think of white-box testing as being done at the unit level,
it is used for integration and system testing more frequently today. It can test paths within a unit, paths
between units during integration, and between subsystems during a system–level test. Though this
method of test design can uncover many errors or problems, it has the potential to miss unimplemented
parts of the specification or missing requirements. White-box testing is used for testing applications. It is
not used to identify security issues in a network.D: Penetration testing (also called pen testing) is the practice of testing a computer system, network or
Web application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated with software applications or they can be performed manually. Either way,
the process includes gathering information about the target before the test (reconnaissance), identifying
possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can also be
used to test an organization’s security policy compliance, its employees’ security awareness and the
organization’s ability to identify and respond to security incidents.
Penetration is considered ‘active’ because you are actively trying to circumvent the system’s security
controls to gain access to the system as opposed to vulnerability scanning which is considered passive.

http://www.webopedia.com/TERM/V/vulnerability_scanning.html
http://en.wikipedia.org/wiki/Black-box_testing
http://en.wikipedia.org/wiki/White-box_testing
http://searchsoftwarequality.techtarget.com/definition/penetration-testing