Vulnerability Assessment Process
Our method of conducting Vulnerability Assessment consists of 4 steps, which can effectively identify vulnerabilities most organizations have:
We will identify, analyse and map out the assets of the organization, including devices, their placement, network topology, and the importance of the devices to the IT infrastructure and network. This will provide a comprehensive overview of the IT assets in the organization.
2. System Information Gathering
Second, we will gather information about the systems before starting the Vulnerability Scanning. We will be review the ports, processes, services, and policies in the system to check for any misconfiguration that needs to be fixed. We will also require credentials of those devices to ensure the optimal performance of the Vulnerability Scanning.
3. Perform Vulnerability Scanning
In this step, we will use the information acquired from the previous steps to configure our proprietary scanner and then proceed to scan the system. The scan is divided into two types: external and internal.
External Scan will simulate how an attacker from outside your organization see and attempt to exploit the system.
Internal Scan, also known as scanning with credentials, will attempt to log on to each host on your network and collect additional detailed information about the host while it performs comprehensive vulnerability checks inside your network. Common checks include security updates, policy check, encryption and authentication…
Our Vulnerability Scanning follows many security standards and configurations (see below) that are guaranteed to produce desirable results.
- National Institute of Standards and Technology (NIST)
- Common Vulnerabilities and Exposures (CVE)
- Open Web Application Security Project (OWASP) Top 10
- Firewall Scan
- Full Port Scan
4. Summary Report
The final and most important step of the Vulnerability Assessment is the actual detection of vulnerabilities. This is done by utilizing a detection tool or vulnerability repository list in the previous step to identify the vulnerabilities on the assets listed earlier. This process generates reports, complete with scores and risk information. The final step of the phase is to use remediation tools to patch, configure, or debug assets to reduce or eliminate the security risks present from the vulnerabilities detected.
Here is an example of a risk we identified in our report:
Figure 4. Example of a vulnerability assessment report, which identifies the risk and scoring information for better understanding, and recommended solution to remediate the risk.
For organizations seeking to reduce their security risk, a Vulnerability Assessment is a good place to start. It provides a thorough, inclusive assessment of hardware and software assets, identifying vulnerabilities, providing an intuitive risk score, and solutions to remediate the vulnerabilities. A regular assessment program helps organizations to manage their risk in the face of an ever-evolving threat environment, identifying and scoring vulnerabilities so that attackers do not catch organizations unprepared.