Tweet
A vulnerability assessment is a a process in place to examine the ability of a system or application, including existing security procedures and controls, to withstand an attack. The process recognizes, measures and classifies vulnerabilities in an computer system, network or available communication channels.
Some general types of vulnerability assessments exist:
Active Assessment
Uses a network scanner to find hosts, services and vulnerabilities.
Passive Assessment
This is a technique to capture or sniff the target network to find active systems, network services, applications and any vulnerabilities present.
Host Based Assessment
This kind of assessment determines the vulnerabilities in a specific host such as a workstation or a server.
Internal Assessment
This is a technique to scan the internal infrastructure to find any vulnerabilities or exploits available.
External Assessment
This process is in place to assess the network from an outside hacker's point of view to determine what vulnerabilities or exploits are available when accessed from outside the network.
Application Assessment
This assessment tests the web infrastructure for any misconfigurations and known vulnerabilities.
Network Assessment
This is in place to evaluate the network security and to uncover any vulnerabilities or exploits that may be available.
Wireless Network Assessment
This part attempts to determine any vulnerabilities in the wireless network.
Of course, stress testing, social engineering and any other aspect of security should be taken into consideration when planning and executing a vulnerability assessment.
Note that a Security Audit is a process for verifying if the organization in question is following a set of standard security policies and procedures. A Vulnerability Assessment focuses on discovering the vulnerabilities in information systems but provide no indication if these vulnerabilities can be exploited or the amount of damage that may result from a successful attack. A penetration test is a methodological approach to a security assessment that covers a security audit and a vulnerability assessment and demonstrates weather or not a given vulnerability can actually be exploited.
Some general types of vulnerability assessments exist:
Active Assessment
Uses a network scanner to find hosts, services and vulnerabilities.
Passive Assessment
This is a technique to capture or sniff the target network to find active systems, network services, applications and any vulnerabilities present.
Host Based Assessment
This kind of assessment determines the vulnerabilities in a specific host such as a workstation or a server.
Internal Assessment
This is a technique to scan the internal infrastructure to find any vulnerabilities or exploits available.
External Assessment
This process is in place to assess the network from an outside hacker's point of view to determine what vulnerabilities or exploits are available when accessed from outside the network.
Application Assessment
This assessment tests the web infrastructure for any misconfigurations and known vulnerabilities.
Network Assessment
This is in place to evaluate the network security and to uncover any vulnerabilities or exploits that may be available.
Wireless Network Assessment
This part attempts to determine any vulnerabilities in the wireless network.
Of course, stress testing, social engineering and any other aspect of security should be taken into consideration when planning and executing a vulnerability assessment.
Note that a Security Audit is a process for verifying if the organization in question is following a set of standard security policies and procedures. A Vulnerability Assessment focuses on discovering the vulnerabilities in information systems but provide no indication if these vulnerabilities can be exploited or the amount of damage that may result from a successful attack. A penetration test is a methodological approach to a security assessment that covers a security audit and a vulnerability assessment and demonstrates weather or not a given vulnerability can actually be exploited.