OverviewVulnerability Assessments provide valuable insight as to where there might be security holes in your organization that need to be addressed. Vulnerability Assessments, or VA's, are assembled by running scanners against your network and infrastructure. The results of these scans are then assembled into an easy to understand report as to how the issues can be remediated.
Vulnerability Assessments will test for a variety of problems such as server or service misconfiguration, known vulnerabilities or CVE's, or missing software patches. During a VA, there is no attempt to actively exploit a security hole. Potential issues are gathered, given a severity ranking and assembled into a report that are provided to the client.
Why Do Vulnerability Assessments?Vulnerability Assessments provide a very cost-effective way to assess the technical security of your environment. The relative low cost of the VA, paired with the fact that the scans are unlikely to have any adverse effect on your network, makes them easily accessible for most organizations to run on a regular basis.
How do they Work?Prior to the assessment, we will sit down with a potential client to discuss the scope, and what type of information they might be looking for from the report. Vulnerability Assessments are typically run against computers from within the Local Area Network (or "behind the firewall"), though they can also be run against computers over the internet which would more accurately display the information a would-be attacker would be able to obtain. Once the scope is defined, we will typically run scans with multiple tools to ensure all items are addressed. A report is then assembled dictating each potential vulnerability, a severity level for each item and a brief description as to how to mitigate the vulnerability.
How Do These Compare To Penetration Tests?A frequently asked question is how Vulnerability Assessments compare to Penetration Tests. There are a few notable differences between the two.
Pricing - Vulnerability Assessments are priced based on the number of IP addressess that will be assessed. Penetration Testing is priced based on the estimated number of hours that will be required for the engagement.
Involvement - Penetration Tests tend to be much more involved that a Vulnerability Assessment. Penetration Tests will typically look to actively exploit security holes to gain access to a system, where Vulnerability Assessments do not attempt exploitation.
Stealth - Acting in a stealhy manner is not typically a high priority for Vulnerability Assessments, and as such sometimes Intrusion Prevention / Intrusion Detection systems are alerted. Penetration Testing is performed in a much more stealhy manner so as to attempt to elude your IPS / IDS systems for a more accurate representation as to what an attacker would be capable of.