If you were to perform a vulnerability assessment of your home, you would likely check each door to your home to see if they are closed and locked. You would also check every window, making sure that they closed and locked.
This same concept applies to systems, networks, and electronic data. Malicious users are the thieves and vandals of your data. Focus on their tools, mentality, and motivations, and you can then react swiftly to their actions.
Namtek’s vulnerability assessment identifies, quantifies, and prioritizes vulnerabilities. We adhere to a multi-phase process that includes cataloging system assets and capabilities, and assigning a hierarchical risk-value to those resources. Further, we identify the vulnerabilities or potential threats to each resource, and develop a plan to mitigate or eliminate prioritized vulnerabilities.
Given time, resources, and motivation, a hacker can break into nearly any system. At the end of the day, all of the security procedures and technologies currently available cannot guarantee that any systems are safe from intrusion. Routers help secure gateways to the Internet. Firewalls help secure the edge of the network. Virtual Private Networks safely pass data in an encrypted stream. Intrusion detection systems warn you of malicious activity. However, the success of each of these technologies is dependent upon a number of variables.
A vulnerability assessment is an internal audit of your network and system security; the results of which indicate the confidentiality, integrity, and availability of your network.
Typically, vulnerability assessment starts with a reconnaissance phase, during which important data regarding the target systems and resources is gathered. This phase leads to the system readiness phase, whereby the target is essentially checked for all known vulnerabilities.
What is a Vulnerability Assessment?
A vulnerability assessment is the process of identifying and quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.
A Vulnerability Assessment Should include the Following
- Catalog assets and resources
- Assign quantifiable value and importance to the resources
- Identify the security vulnerabilities or potential threats to each resource
- Mitigate or eliminate the most serious vulnerabilities for the most valuable resources
How Does This Compare to Penetration Testing
What is Penetration Testing
Depending on the scope, a pen test can expand beyond the network to include social engineering attacks or physical security tests. Also, there are two primary types of pen tests: “white box”, which uses vulnerability assessment and other pre-disclosed information, and “black box”, which is performed with very little knowledge of the target systems and it is left to the tester to perform their own reconnaissance.
Penetration Testing Follow These General Steps
- Determination of scope
- Targeted information gathering or reconnaissance
- Exploit attempts for access and escalation
- Sensitive data collection testing
- Clean up and final reporting
A penetration test usually follows a vulnerability assessment.