New Page 1

Overview
BS7799 / ISO 27001
PKI
Penetration Test / Ethical Hacking
Vulnerability Assessment
Web Application Audit
Information Security Assurance

 
Vulnerability Assessment

Vulnerability Assessment (VA) is the act of checking a security system for security flaws that might allow attackers to breach an organization's network.

Regardless of the fact that most of the organizations have already invested corporate resources into anti-virus software, firewalls, and perhaps IDS, it is not enough to stop the growing sophistication and speed of emerging threats. Besides, modern network security involves sophisticated hardware and software settings that must be fine-tuned. Faulty setup and implementation of a firewall can compromise a network's security. An improperly configured operating system can leave an organization open to severe security problems from external or internal sources. This makes it very easy to inadvertently weaken the security of a network while acceding to apparently well-intended requests from the users. VA helps pinpoints all such configuration problems and also identifies other vulnerabilities.

Vulnerability Assessment follows the simple concept of looking at Client's network from a hacker's perspective, but from inside the network. However, Vulnerability Assessment involves more than imagining attacks on the test network. The security holes discovered during the audit will be documented, prioritizing each vulnerability discovered according to risk, and recommendations will be given for the implementation of appropriate fixes.

This exercise is carried out from inside the network, and focuses on the following:

  • Configurations of firewalls, IDS, Routers and Switches.

  • Identify system-level vulnerabilities such as file permissions, user account properties, registry settings, etc.

  • OS patch level update.

  • Antivirus Software configuration and Updation Schedule, etc.

Brief Methodology

The methodology consists of mainly two phases:

  1. Network-based testing through automated tool
    (These tools work by automating a hacker's typical first step: trying to map your network. If the scanner finds any vulnerable services and applications, instead of exploiting them, the scanner reports them)

  2. Detailed manual compliance testing
    (Humans often discover more subtle security holes than automated VA tools. Computers are simply not smart enough yet to discover certain complicated, multi-step attack vectors, which can be easily spotted by a human tester.)

The security holes discovered during the audit are documented, prioritizing each vulnerability discovered according to risk, and recommendations for implementation of the appropriate fixes are provided.

Activities

  • Security Audit of network from within the organization (both tool-based and manual)

  • Hardening of Servers

Deliverables -
Vulnerability Assessment Report with recommendations
 
New Page 1
© Copyright 2006, CyberQ Consulting | All Rights Reserved

designed by: cross section