Vulnerability assessment is a critical part of any IT infrastructure. It's not something that we do willy nilly, you don't just go grab a copy of nessus and run a security scan and look for stuff. Normally this is going to be handled by management, management is going to authorize your department to perform vulnerability scans. Now these can be done on an annual basis on a quarterly basis monthly. In some organizations, it's literally done perpetually, they never ever turn it off. So the most important thing that's going to happen with a vulnerability assessment is you're going to get authorization.
I know in some organizations, it's literally required for a manager to provide a signed a piece of paper before they get started with any of this stuff. Now, once you get that process going, you certainly are going to be using your tools, but you have a couple of options here. One of the big options is credentialed versus non credentialed, a credential vulnerable Ability assessment basically means you've got usernames and passwords of the stuff that's part of your assessment. So it really gives you more of an insider's view of what's going to be taking place. Non credential, you don't have usernames and passwords, so you're more seeing it as an outsider. So both of these assessments are very, very powerful, because you definitely see your infrastructure from two very different ways.
Along with that, you can do an intrusive or a non intrusive, almost all vulnerability assessments that I run into are non intrusive. Basically, we're looking at the vulnerabilities, you're scanning the system, you're gathering information, but you're not actually doing anything with that you're not actually going, ah, here's a vulnerability in the SQL database, let's corrupt the database because as you can imagine, that might cause trouble. So generally, when we're talking about vulnerability assessments, we're talking about a non intrusive type of that. So as you're going through there, keep in mind what your jobs are. Number one, you're there to identify vulnerabilities. And as we saw in other episodes, there are nice tools out there that give you a good listing of what those vulnerabilities are.
Also, along with that, you might want to consider the idea of misconfigurations. A lot of times a mis configuration will present a vulnerability in and of itself simply Well, for example, using default username and password will be a great Miss configuration example, using default IP addresses that type of thing. The challenge you've got to watch out for in your vulnerability assessment more than anything else are what are known as false positives. or false positive is simply when a vulnerability assessment goes, here's a problem. And the reality is it isn't a problem. It is part and parcel of any good vulnerability assessment tool.
But the more false positives you have that you have to deal with, the less time you have to deal with with real vulnerabilities. And it's kind of a balancing act between turning your sensors up to the point Where you get too many false positives versus turning them down where you miss real problems, just be aware of the term false positive. The other interesting thing that takes place during a vulnerability assessment really has nothing to do with the vulnerabilities. What we're talking about is compliance. We have all kinds of laws and organizations out there that different people have to deal with. When it comes to compliance.
Probably one of the biggest examples is PCI DSS. These are the folks who monitor credit card usage. And if you want to be a part of a credit card organization, if you want to use credit cards, or if you want to sell machinery that uses credit cards, you have to go through their compliance rules. Now, it's actually not that big of a deal because a lot of tools in fact, this is where nessus in particular does a great job. You can take that same vulnerability scanner, and you can plug in what's called a PCI DSS Compliance package, so it's not looking at a national vulnerabilities database anymore. Instead, what it's looking at is a rule set for PCI DSS compliance.
And it can be a very, very powerful tool. So when you're going to do a vulnerability assessment, just keep in mind that you've got a few basic tools and for crying out loud, get authorized before you start anything.