Vulnerability Assessment
A vulnerability assessment is a methodical analysis of security flaws in an information system. Sometimes, security experts do not know how to deal especially when it comes to recognize the results from its automated report. Yet, this process is a great value to an organization. It evaluates if the system is sensitive to known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.
Step by step method to start out an effective vulnerability assessment process.
1. Preliminary Assessment
- Risk appetite
- Risk tolerance level
- Risk mitigation practices and policies for each device
- Residual risk treatment
- Countermeasures for each device or service (if the service is correlated with the device)
- Business impact analysis
2. System Baseline Definition
- Information gathering
- Environment Review
- Banner Grabbing
3. Perform the Vulnerability Scan
- Best scan (i.e., popular ports)
- CMS web scan
- Quick scan
- Port scanning
- Firewall scan
- Stealth scan
- Aggressive scan
- Full scan, exploits and distributed denial-of-service (DDoS) attacks
- Open Web Application Security Project (OWASP) Top 10 Scan, OWASP Checks
4. Vulnerability Assessment Report Creation
- Captured Vulnerability Detail
- Detail from CVE database
- Concerned systems detail.
- Recommended approach
5. Remediation
- Identifying the potential gap between the results and the system baseline.
- Implementing measures to mitigate potential vulnerabilities.