Vulnerability Assessment

No matter how well developed a website or application is it can still be vulnerable to attack, there can still be unknown security risks. These risks are realised more and more today as hacking and exploitation becomes more prevalent. The only way to ensure the risks are known is to conduct a Vulnerability Assessment.

A Vulnerability Assessment is performed in consideration of both the target web site or application and the network it is hosted on. The assessment evaluates what threats exist and the current defenses and remediation strategies.

Whereas audits focus on measuring compliance to policy & standards that are relatively static, assessments are more dynamic, conducted to evaluate current & emerging threats.

Performing a Vulnerability Assessment

As with Audits, a Vulnerability Assessment is usually conducted against a live network, however the auditor may or may not have knowledge of the system under test and may not have privileged credentials. This is dependent on whether you want testing to be done solely from the 'outside', like an attacker would or also 'inside', which is more thorough and is recommended.

The assessment will be carried out using commercial applications, in-house developed tools, bespoke scripts and manual exploratory testing, using a range of real world attack techniques and relevant vectors. A comprehensive Vulnerability Assessment Report should be created that shows the exact details of the vulnerability and its recommended remediation.

Note: Vulnerabilities are not exploited as this can compromise live systems.

Liked this post?

Say thanks by Following the blog or subscribing to the YouTube Channel!

Read More

Patch Auditing and Compliance

The number of systems that are connected to any network can be extensive and keeping them secure an on-going task. Whether you network has desktop systems running Windows or Linux with their host of applications, web, email or database servers - they all get patched.

Patches and security hot-fixes are provided on an on-going and ad-hoc basis by multiple vendors, at different times and for different reasons, it can be a difficult job ensuring everything is secure from the latest security risks.

Given the frequency of patches a Patch Audit needs to be conducted at agreed intervals. This should be in-line with vendor patch cycles and your Patch Management Process, but also conducted when needed in response to unplanned critical patch releases.

The patch audit will help ensure that your network is properly protected and that users of desktop systems are taking up patches and updates as required.

Performing a Patch Audit

As with a Compliance Audit, Patch auditing is usually conducted against a live network, by an auditor with full access to the network so they can acquire correct results. The audit is performed mainly with the use of automated tools, however manual assessment of compliance is always required, to ensure complete and efficient auditing.

A comprehensive Patch Audit Report will be provided that shows whether audit results are as expected. If not, then guidance is given on what needs to be corrected and a follow-up audit performed.

When the audit shows the patch status is as expected, the auditor will provide a clear notification and detail the supporting evidence. This can then be used by you to inform any external party who require you to demonstrate adherence to your Patch Management Process.

Thoughts? Send a message!

Mark

Liked this post?

Say thanks by Following the blog or subscribing to the YouTube Channel!

Read More