5.3.1. Identification Methods

💡 First Principle: You can't fix what you can't find. Vulnerability identification uses multiple methods because no single technique finds everything.

Vulnerability scanning — automated tools scan systems for known vulnerabilities by checking software versions, configurations, and open ports against vulnerability databases. Scans can be credentialed (logged into the system, more thorough — sees installed software, patches, configurations) or non-credentialed (external perspective, finds what an attacker would see from outside). Credentialed scans find significantly more vulnerabilities but require managing scan account credentials securely.

Internal vs. external scanning — internal scans run from within the network perimeter and find vulnerabilities visible to insiders or attackers who've gained initial access. External scans run from outside the perimeter and simulate the attacker's view from the internet. Both are necessary — they find different things.

Agent-based vs. agentless scanning — agent-based scanners install lightweight software on each host for continuous monitoring (always current, even when hosts move). Agentless scanners run remotely (simpler to deploy, but only see hosts when scanning runs).

Penetration testing — authorized simulated attacks that attempt to actually exploit vulnerabilities. More thorough than scanning because testers chain vulnerabilities, test business logic, and demonstrate real-world impact. More expensive and time-consuming, but proves exploitability rather than theoretical risk.

Responsible disclosure programs / bug bounties — inviting external researchers to find and report vulnerabilities in exchange for recognition or payment. Extends your testing capability beyond internal resources.

Threat feeds and vulnerability databases — NVD (National Vulnerability Database), CVE (Common Vulnerabilities and Exposures), and vendor advisories provide intelligence about newly discovered vulnerabilities.

System and process audits — reviewing configurations, procedures, and controls for compliance with baselines and policies. Audits find procedural and configuration gaps that automated scans miss.

⚠️ Exam Trap: Vulnerability scanning finds known vulnerabilities automatically. Penetration testing attempts to exploit them (and finds unknown ones). Scanning is broader and cheaper; penetration testing is deeper and more expensive. They're complementary, not interchangeable.