Vulnerability assessment is the process of identifying how vulnerable an infrastructure is to known vulnerabilities—the number one threat to all networks today. The threats/risks found in the vulnerability assessment are ranked and prioritized to expose the current security posture, and to facilitate the remediation process. The first assessment is a baseline snapshot illustrating current threats. The second and subsequent assessments are known as periodic or differential scans, and illustrate trending analysis that answers the question—is our security posture improving over time?
It is important to understand that vulnerabilities exist across most systems and devices throughout the network. Typical assessments include targets that consist of network devices, operating systems, desktop applications, databases, Web applications, printers and almost any device that is attached to the network. Many organizations have specific assessment requirements. Our consultants work with customers to help define requirements and goals to ensure that the scope of work/deliverables exceeds expectations.
All of these questions can be answered by performing a Vulnerability Assessment. Our security experts can help you understand the security state of your organization from a general, broad perspective by performing a Vulnerability Assessment through which vulnerabilities & weaknesses are identified and pinpointed.
Because a Vulnerability Assessment is not as depth-focused as a Penetration Test; no actual exploitation takes place. This is helpful in situations where exploitation attempts are not desirable for technical, legal or business reasons.
HOW DO WE DIFFER
Our approach is business driven. Vulnerabilities are investigated, documented and reported according to the potential damage that may arise if they are exploited.
Most of the service providers focus purely on automated tools while executing their services. This is the point where we differ from others; we give equal importance to both automated tools and manual operations. Since automated vulnerability assessment tools won’t be able to find serious loopholes like Hidden SQL Injection’s, XSS, RFI etc. under every circumstances. This is the point where we put our manual efforts on ensuring that a site is free from the flaws which remains undiscovered by automated tools.
Our methodology is based on the Open Web Application Security Project (OWASP) testing guide for tests on the (web) application level. We use a mixture of automated scans using open source as well as commercial tools, followed by a verification and deeper probing of the application by a highly skilled consultant. This pragmatic and cost-efficient approach is fully compliant with the requirements of international standards, such as:
- The Payment Card Industry (PCI) requires periodic automated scans and penetration tests on application and network level as well as source code review for payment applications;
- The Internet Banking and Technology Risk Management Guidelines (IB&TRM) of the Monetary Authority of Singapore (MAS) requires a mixture of countermeasures, including penetration tests and code reviews;
- ISO 27002 details that the capability of service providers must be assessed ant that contract must provide the right to monitor and audit. ISO 27002 further details that compliancy checks include penetration tests and vulnerability assessments that may be executed by external experts.
Frequently Asked Questions
All assessments are fixed price. You know upfront what it will cost you. The more assessments of a single application that are ordered (e.g. year contract for quarterly assessments) the cheaper it becomes. Pricing is also influenced by the fact whether or not the assessment can be done remotely (over the internet) or must be done locally at your premises. Another factor is whether or not the assessment must be done on the production server (potentially dangerous and requiring more attention and skills) or on a test system.
Yes we do. Consultants do not scale well and there is a limit at how many attack vectors can be checked in a limited amount of time. Therefore tools are used. The security expert knows how to run those tools, knows the limitations and then fill in the gaps to complete the assessment. You do want the consultant to spent his time at looking for issues that are relevant for your business and that a scanner cannot detect.
We are perfectly capable in limiting our approach to the use of a scanner if this is your objective. Automated scans do have their use and might be required by certain compliancy demands.
Security measures regarding communication, reporting, and data security will be discussed at the kick-off of a project. Typically encryption will be used for all communication. Data gathered during an assessment is not unnecessarily kept and will be destroyed one month after the acceptance of the final report.
MAKE YOUR CHOICE
There a different types of application security assessments. Make your choice depending on your business objectives and security and audit needs:
- Black Box Tests Assumes zero prior knowledge of the system, has no advanced access to any accounts. This results in a view on how far, in a limited time, a malicious user or hacker can go. Note however that this is not a complete view: hackers are not limited by time, while the tester is.
- White Box Tests Uses existing or newly created end-user accounts for additional access during testing. This gives an informed view on what an insider (user, consultant, outsourcer personnel) can do.
- Crystal Box Tests Performed using an application administrator account to gain full access to the application.
Where applicable tests are executed from three perspectives:
- Anonymous User The test is executed from the perspective of an anonymous user with no or minimal knowledge of the target system. Focus points include the user logon authentication process, session management, as well as attempting to uncover other areas on the target application that may provide remote, unauthenticated, or unauthorized access.
- Authenticated User This test is carried out from the perspective of normal user’s knowledge. Therefore a set of valid user login accounts and passwords are required. The focus is on checking authentication and authorization controls and procedures, roles, and limitations such as time restrictions and potential contamination (assuming the access rights of another user, viewing and modifying data of another user).
- Power User Power users are users that have very specific, powerful access to the application, but they are not users of the application itself (e.g. system administrators, database administrators, operators, software maintainers, etc.) Focus is on access to the system logs, audit trails, configuration files and other possibly sensitive data on the system and potentially dangerous functions such as re-enabling user accounts, steal credentials, or modify evidence. We assess the prevention and detection capabilities of the system for such attacks and how the system audit trails provide evidence of the actions of power users.
Upon completion of the security test, a detailed report is sent to the client, including the following:
- Executive Summary: Summary of the purpose of this test, as well as as brief explanation of the threats facing the organization from a business perspective.
- Findings: A detailed, technical explanation of the findings of the tests, with steps and proofs of the findings.
- Conclusion & Recommendations: This section provides final recommendations and summary of the issues found in the security test.