VULNERABILITY-ASSESSMENT

Vulnerability Assessment

Vulnerability assessment is a process with the objective of evaluating the effectiveness of security policies and therefore is distinguished by identifying, categorizing, and prioritizing regarding any vulnerabilities in a system. All activities are collected and documented along with an analysis of the risk and impact of exploiting vulnerabilities. It is important to keep in mind that this service suffers from the problem of degradation, in the sense that a VA performed today takes weeks if not months to handle what has come to light. Since vulnerabilities are published new every day, there is a risk that when the work is done, one has to start over.

The first step for the analyst to take is to check for known vulnerabilities and proper configuration of systems such as, for example, disabling TCP/UDP ports and services not covered by the client’s security policies. The service is carried out with the help of special tools that can automatically scan the network ports of the assets for active services, because a good preparation of the activity goes through the verification of what is present among the client’s assets.

The tools used by the team are the vulnerability scanner, which is a commercial program designed to search for and catalog weaknesses in systems such as servers, clients, applications and network equipment by scanning the entire corporate surface: internal and external. At the end of the work, the consultant prepares two reports: one for the board, also called the Executive Report, which has the responsibility and another more technical one intended for the client’s IT staff. In the reports there will be the types of vulnerabilities found and the damage the client will suffer if an attacker exploits them. It is good to comment together with the client on the results obtained and it is essential to plan a mitigation plan by going, where possible, to update systems and where it was not possible to segment or introduce solutions aimed at asset protection.