A Vulnerability Assessment also known as Vulnerability Testing attempts to discover security issues within applications or infrastructure the way a penetration test does, however a vulnerability assessment does not verify the existence of the vulnerability by attempting exploitation. Instead as much evidence as possible is recovered to support the finding without attempting exploitation. There are two types of vulnerability assessment, manual and automated defined below.
Table of Contents
A Manual Vulnerability Assessment follows our penetration testing methodology and is performed manually by a consultant in much the same way our manual penetration testing is performed. However, during a vulnerability assessment the exploitation phase is removed from the test. Without the exploitation phase of the test verification of most discovered vulnerabilities is not possible. The consultant will provide as much as evidence as possible to support the existence of the vulnerability, but no attempt to exploit discovered vulnerabilities is made and without exploitation pivoting is not possible.
An automated vulnerability test if performed by software, automated testing also does not perform exploitation. Typically this type of testing is more prone to false positives when compared to a manual assessment as findings are not assessed by a consultant and do not have the strength of a consultants experience and knowledge to rule out false positives. Automated testing does have some advantages, it’s fast, cheaper and does provide a baseline of the overall standard of a network from a security prospective.
Aptive offer custom automated vulnerability scanning performed weekly or monthly, allowing for regular checks of both legacy and newly discovered vulnerabilities, this service is designed to complement regular penetration testing. Without regular security auditing of your systems there is no way of knowing if your organisation has vulnerabilities exposed. For example, a legacy machine could have been booted and due to incorrect firewall policies could be accessible to the outside world, your organisation would have no way of knowing this risk existed without regular security auditing.
Regular scanning can help detect changes and automatically scan for newly discovered vulnerabilities, this service compliments our penetration testing services.
The Payment Card Industry Data Security Standard (PCI DSS) compliance requires that merchants accepting credit cards, conduct quarterly vulnerability scans (every 3 months) of their environment, both internally and externally.
External vulnerability testing is performed from outside of your organisation’s network and must include all of your external IP addresses. Regular external vulnerability testing helps identify exposed vulnerabilities and compliment the annual penetration testing also required for PCI DSS compliance.
Internal vulnerability scans must take place from a number of locations within your network to test the security of all systems within the cardholder data environment (CDE). Internal VA provides an internal overview of the state of security within your network and identifies flaws that that an attacker could potentially exploit after gaining access to your internal network.
Vulnerability scans must be performed at least on a quarterly basis, additional scans are required whenever there are significant infrastructure changes to your cardholder data environment.
If your organisation has never had a penetration test before, a vulnerability assessment is a good starting point to gain an overview of your network security. Below are some of the primary advantages of a vulnerability test:
Additionally, quarterly vulnerability assessments are a requirement for PCI DSS, which must be performed every 3 months (4 times a year).
Regular vulnerability assessments can help detect changes and automatically scan for newly discovered vulnerabilities, this service compliments our manual penetration testing services.
Vulnerability testing helps identify potential security vulnerabilities without attempting to exploit the system. On a manual vulnerability test the consultant will provide as much evidence as possible to backup the finding, however due to the limitation of not being able to exploit the vulnerability, truly verifying if a system is exploitable to a discovered vulnerability is not possible.
Manually combining discovered security issues together to leverage a higher security vulnerability or in some cases a compromise is not possible with a vulnerability assessment.
Advancement, commonly known as “pivoting” is also not possible on a vulnerability assessment, due to no machines being compromised, and therefore cannot be used a network entry points.