Vulnerability Assessment Services

An overview of Aptive’s Vulnerability Assessment Services.

What is a Vulnerability Assessment?

A Vulnerability Assessment also known as Vulnerability Testing attempts to discover security issues within applications or infrastructure the way a penetration test does, however a vulnerability assessment does not verify the existence of the vulnerability by attempting exploitation. Instead as much evidence as possible is recovered to support the finding without attempting exploitation. There are two types of vulnerability assessment, manual and automated defined below.

Manual Vulnerability Testing

A Manual Vulnerability Assessment follows our penetration testing methodology and is performed manually by a consultant in much the same way our manual penetration testing is performed. However, during a vulnerability assessment the exploitation phase is removed from the test. Without the exploitation phase of the test verification of most discovered vulnerabilities is not possible. The consultant will provide as much as evidence as possible to support the existence of the vulnerability, but no attempt to exploit discovered vulnerabilities is made and without exploitation pivoting is not possible.

Automated Vulnerability Assessment

An automated vulnerability test if performed by software, automated testing also does not perform exploitation. Typically this type of testing is more prone to false positives when compared to a manual assessment as findings are not assessed by a consultant and do not have the strength of a consultants experience and knowledge to rule out false positives. Automated testing does have some advantages, it’s fast, cheaper and does provide a baseline of the overall standard of a network from a security prospective.

Aptive offer custom automated vulnerability scanning performed weekly or monthly, allowing for regular checks of both legacy and newly discovered vulnerabilities, this service is designed to complement regular penetration testing. Without regular security auditing of your systems there is no way of knowing if your organisation has vulnerabilities exposed. For example, a legacy machine could have been booted and due to incorrect firewall policies could be accessible to the outside world, your organisation would have no way of knowing this risk existed without regular security auditing.

Regular scanning can help detect changes and automatically scan for newly discovered vulnerabilities, this service compliments our penetration testing services.

PCI DSS Vulnerability Assessment

The Payment Card Industry Data Security Standard (PCI DSS) compliance requires that merchants accepting credit cards, conduct quarterly vulnerability scans (every 3 months) of their environment, both internally and externally.

What type of Vulnerability Assessment does PCI DSS require?

PCI DSS External Vulnerability Assessment

External vulnerability testing is performed from outside of your organisation’s network and must include all of your external IP addresses. Regular external vulnerability testing helps identify exposed vulnerabilities and compliment the annual penetration testing also required for PCI DSS compliance.

PCI DSS Internal Vulnerability Assessment

Internal vulnerability scans must take place from a number of locations within your network to test the security of all systems within the cardholder data environment (CDE). Internal VA provides an internal overview of the state of security within your network and identifies flaws that that an attacker could potentially exploit after gaining access to your internal network.

How often are PCI DSS vulnerability scans required?

Vulnerability scans must be performed at least on a quarterly basis, additional scans are required whenever there are significant infrastructure changes to your cardholder data environment.

Vulnerability Assessment Services

Below are Aptive’s vulnerability testing services:

  • External Vulnerability Testing
  • Internal Vulnerability Testing
  • Vulnerability Assessment and Penetration Testing (VAPT)
  • Automated Vulnerability Testing Service
  • Manual Vulnerability Testing
  • Vulnerability Management Service

Why Perform a Vulnerability Assessment?

If your organisation has never had a penetration test before, a vulnerability assessment is a good starting point to gain an overview of your network security. Below are some of the primary advantages of a vulnerability test:

  • Reduced cost compared to manual penetration testing
  • Faster results (typically) than penetration testing
  • Can be run regularly to assess internal / external network vulnerabilities
  • Reduced risk compared to penetration testing
  • Compliance standards such as Cyber Security Essentials, require an external vulnerability assessment
  • Help identify vulnerabilities on your network

Additionally, quarterly vulnerability assessments are a requirement for PCI DSS, which must be performed every 3 months (4 times a year).

Regular vulnerability assessments can help detect changes and automatically scan for newly discovered vulnerabilities, this service compliments our manual penetration testing services.

Vulnerability Assessment vs Penetration Testing

Vulnerability assessments and penetration testing services have the same common goal, to identify security issues and vulnerabilities and deliver these findings to the client in a severity ordered report. However there are some significant differences, these are outlined below:

False Positives

Vulnerability testing helps identify potential security vulnerabilities without attempting to exploit the system. On a manual vulnerability test the consultant will provide as much evidence as possible to backup the finding, however due to the limitation of not being able to exploit the vulnerability, truly verifying if a system is exploitable to a discovered vulnerability is not possible.

Manually combining vulnerabilities

Manually combining discovered security issues together to leverage a higher security vulnerability or in some cases a compromise is not possible with a vulnerability assessment.

Advancement

Advancement, commonly known as “pivoting” is also not possible on a vulnerability assessment, due to no machines being compromised, and therefore cannot be used a network entry points.