What is Vulnerability Assessment and Why we do it?
An asset compromise can occur through a weakness found in that particular asset.
An asset can either be a system or an application.
System can be any Network device, Operating system, Mobile device etc.
Applications can be Web, API, Mobile, thick client, thin client, Cloud, Block chain, IOT , Scada etc.
A vulnerability assessment therefore is a search weakness /exposures in your IT assets to apply a patch or fix to prevent a compromise.
Qseap Vulnerability assessment framework is tailored to a particular asset or list of assets being tested.
qSEAp's methodology of vulnerability assessment.
Vulnerability assessment covers the breadth over depth, it helps
- To understand the security exposure of the system or application.
- To define the level of risk that exists on the network.
- To establish a business risk/benefit curve and optimize security investments.
- Identify any organization security requirements that are not met, and other security weaknesses that should be addressed.
- Meet requirements to periodically assess systems.
Methodology of Vulnerability assessment?
Qseap Infotech follows a hybrid methodology of VA, based on the guidelines given by SANS ,NIST,PCI-DSS , OWASP and CIS.
Vulnerability assessment can be done manually and using automated scanning tools as well.
Vulnerability assessment can be categorized in 4 steps.
- Initial assessment
- Identify the assets in scope.
- Understand the importance assets being used and its associated risk.
- Risk can be determined using several factors like
- Accessibility over public or private network
- Roles present in application
- Related business process etc.
- Creating a baseline
- For each asset in scope of Vulnerability assessment, it is necessary to understand whether its configuration is adhering to security best practices.
- Common factors related to configuration which must be included in baseline must be
- Checking of OS system version, service packs etc
- Checking of unnecessary services and ports etc.
- Performing a Vulnerability Scan
- A Vulnerability scan might be done using open-source tools or paid tools.
- It can be either an Authenticated or unauthenticated scan depending upon the asset under scope.
- Vulnerability assessments are done purely from perspective of having a good security posture. However, considering specific regulatory and industry security requirement need to consider a Vulnerability scanning which will meet the security mandates. E.g.
- Web Application VA, OWASP top is preferred.
- Payment card related VA, PCI-DSS is used.
- Reporting
- Reporting is crucial as it outlines the result of the scan, the risk and importance of the assets being scanned and next step that must be taken.
- It can be either an Authenticated or unauthenticated scan depending upon the asset under scope.
- Qseap report format for Vulnerability assessment highlights the detailed scope , issue discovered , detailed steps to replicate the issues , mitigations and references which will help in understanding their current security posture.
Vulnerability assessment vs Penetration Testing
Vulnerability assessment covers the breadth over depth, it helps
- A vulnerability assessment normally forms the first part of a penetration test. The additional step in a penetration test is the exploitation of any detected vulnerabilities, to confirm their existence, and to determine the damage that might result due to the vulnerability being exploited and the resulting impact on the organization.
- Penetration testing is done usually once a year or anytime if the critical/Internet facing asset undergoes some major changes whereas Vulnerability assessment is done at least quarterly for continuous detection of potential vulnerabilities.
- Penetration testing is usually performed by experts which are having good security skillset.
- Qseap has good skillset of consultants who can perform both Vulnerability assessment and penetration testing