Vulnerability assessments range from internal to external and may even consider non-technical security procedures. A vulnerability assessment inspects system configuration settings and other system objects for security policy violations.
| A vulnerability assessment enables an organization to be proactive in protecting their systems by locating security holes before attackers find and then attack them. |
It demonstrates the potential path an attacker could use to breach a network. It is important to note that the assessment results provide a snapshot of an organization's security system at that point in time. Future changes in configurations or even permissions may alter the assessment. New vulnerabilities are introduced in operating systems and applications that are patched and secure today.
InfoWire's vulnerability assessment involves a performance of network security scans.
The following steps outline InfoWire's baseline vulnerability assessment approach.
Assessment Setup Step–InfoWire staff meet with the organization's network personnel to obtain an overall picture of the computer network. InfoWire will verify the IP addresses and phone numbers to be included in the assessment and determine the test area and it’s scope, coordinate a testing schedule, and identify any other areas of concern that should be included in the vulnerability testing.
Web Infrastructure Configuration Review–The assessment results in conjunction with known Web server configuration vulnerabilities are identified that can make the Web servers more vulnerable to an external attack (e.g., Common Gateway Interfaces (CGI) scripts, incorrect permissions, needed software patches, etc.).
Comprehensive Policy and Procedure Review–Security policies and procedures are reviewed with concentration on relevant compliance standards appropriate for the organization. Key personnel are interviewed to identify operational security procedures and to assign weights to various threats.
Infrastructure and Configuration Review–The organization's network topology and the configuration of a representative portion of the organization's computers are reviewed. These computers are identified from the external and internal network scans, however, the organization make final decision as to which computers will be included in the configuration review.
