A vulnerability assessment simply put is a systematic review of security weaknesses in an IT system or network.
Vulnerability management is an ongoing process that requires planning and buy-in from high-level management. You need to understand how to get visibility of your vulnerabilities, how to remediate issues identified in a timely fashion and how to track remedial tasks.
Trying to understand your security posture and your specific threat landscape can be a daunting task if you have never gone through this process before. You don’t know where to start, what to expect and most importantly, how much it is going to initially cost and going forward how much it will cost in the long run.
SERVICE NOW | PONEMON INSTITUTE, https://tinyurl.com/vulnerability-survey
The majority of security breaches are due to known vulnerabilities or known attack vectors; understanding where these issues lie and how to remediate them is key to an effective vulnerability management program.
Vulnerability assessments are a great cost-effective way to start identifying vulnerabilities in your applications, networks and systems.
Using best of breed automated scanning solutions, all systems and services are scanned and evaluated against all currently known vulnerabilities, quickly identifying any low hanging fruit.
A comprehensive report is collated, containing an executive summary which gets right to the point of the associated risks and is consumable by anyone in the organisation regardless of their technical background.
Along with enough detail to allow you to understand not only the potential risks but also concise and clear guidance on how to carry out remediation work.
SERVICE NOW | PONEMON INSTITUE, https://tinyurl.com/vulnerability-survey
Using a combination of automated and manual testing, our consultants will conduct a thorough assessment of your infrastructure, identifying vulnerabilities that may be exploitable by both authenticated and unauthenticated users across your network.
The use of automated tools and in-depth knowledge of manual testing allows us to accurately and effectively assess your infrastructure, maximising the time available.
Assessments are conducted in line with the current standards and methodologies utilised in the industry, such as those outlined in the Penetration Testing Execution Standard (PTES). Using PTES as guidance, Laneden defines our approach in six phases:
- Pre-engagement
- Intelligence Gathering
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
Our consultants engage with the client to discuss the scope and make certain all is in order prior to the assessment beginning
Communications at the beginning and end of each assessment day, confirming either the assessment is starting or ending for the day.
On-going communications from the engaged engineer, highlighting any major issues as they come across them.
A comprehensive report is provided containing an executive summary which gets right to the point of the associated risks and is consumable by anyone in the organisation regardless of their technical background.
Clear and concise information describing each issue to hand.
Technical references will be provided when relevant, allowing you to gather more information on the vulnerability if required.
Each vulnerability will be put into context and given a risk-based score. Utilising CVSS 3 scoring and relevant context you can get a real picture for each associated risk.
Simple remediation advice, advising what is required to remediate the relevant vulnerability.
FREQUENTLY ASKED QUESTIONS
A vulnerability assessment is an automated scan that systematically inspects all hosts and services. This assessment looks to identify known vulnerabilities across its given scan range. A skilled engineer confirms the findings and collates the results in a concise report.
A penetration test is rather different; the skilled engineer leading the engagement needs to have a breadth of knowledge and experience in information technology and its systems. They require the ability to think abstractly, to solve problems effectively and, to anticipate the behaviour of a threat actor.
Constantly looking for a way to manipulate bad security practices and business processes. They actively look to exploit systems and processes in an attempt to exfiltrate data or compromise your business systems.
They then require the abilities to concisely convey their exploitation of your systems and processes simply and effectively. Not only explaining their process for exploitation but also the means to remediate the risks they have identified. Allowing the client to fill their security gaps quickly before any malicious exploitation can be carried out.
A vulnerability management program is a framework for managing an organisations risk associated with their threat landscape and security posture. This is achieved through processes and procedures that allow the effective identification, classification, confirmation and, remediation of security concerns.
Identification
The way the organisation is going to identify and track known vulnerabilities and changes to their threat landscape.
Classification
Understanding and classify findings with a risk-based score, explaining the true risk to the organisation allows effective prioritisation and triage of any findings.
Confirmation
Testing and confirming mitigation of any remedial tasks allows the business to understand any associated risks with the identified corrective actions. Will the recommended remediation effect any BAU (business as usual) processes, causing downtime? Does the recommended remediation resolve the identified risk or, will you be applying hundreds of changes across your network for no reason wasting money and most importantly time?
Remediation
Once confirmation is achieved, accurate remediation can be carried out with little risk to the organisation.
Helps identify vulnerabilities and risks in your applications, systems and network
Used to help validate the effectiveness of current security controls
Quantifies any risks associated with your applications, systems and network
The output provides steps to remediate identified flaws and helps prevent future malicious attacks
Validates effectiveness of patches/security updates
Potential to identify systems compromised by malware
Helps to achieve and maintain compliance with regulatory bodies
Can be built into a vulnerability management program
Vulnerability assessment costs are based on the number of systems in scope. Generally speaking, a vulnerability assessment and reporting of the findings takes 2 to 3-man days to complete.
Please feel free to contact the Laneden team and have a no-obligation impartial discussion to get a better idea on the costs based on your specific requirements.
