Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures. It helps to identify security deficiencies, provide data from which one can predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
Need of VA & PT:
- To identify the present vulnerability that exist in your network, like missing patches, Buffer overflow
- Default user names and passwords, unused users, file/folder sharing found on the network.
Benefits of VA & PT:
- Enhanced ability to make effective security improvements to existing systems and applications.
- Enhanced ability to comply with regulatory requirements.
- More efficient allocation of available resources.
- Higher return on security investments.
- Can compare Network current posture with SANS TOP 20 vulnerabilities and other standards.
- Study the scope of IT architecture and components required for assessment.
- Determine the boundary of analysis.
- Specify people in charge of system resources and assigned tasks.
- Impact analysis for active scans, which includes assessment of service(s) or server(s) scans in online production.
- Formulating the processes and action plan for recuperating server’s operation.
- Estimate the scan process, based on the complexity of the target network (s) and hosts.
- Define the scan policy for each target. Scan policy to define the level of scan, Information gathering, Finger printing, Port scanning, Password analysis and Attack simulation.
- Scan the targeted network (s) and host (s), based on the defined scan policy, collect the scan results and analyze for security loopholes, configuration errors,
- Default installation settings, overlooked setups, password quality, firmware/software revisions, patch fixes, security policy violations etc.
- Comparing the configurations with industry standards and rating them.
- Submission of Assessment Reports with suggestions and recommendations to fix the vulnerabilities.