No announcement yet.

Vulnerability Assessment Methodology

  • Filter
  • Time
  • Show
Clear All
new posts

  • Vulnerability Assessment Methodology

    The first phase of a vulnerability assessment is the Acquisition phase in where you will collect documents required to
    • Review laws and procedures related to network vulnerability assessment.
    • Identify and review documents related to network security.
    • Review the list of previously discovered vulnerabilities.

    The second phase is the Identification phase and contain following tasks
    • Conduct interviews with customers and employees involved in system architecture design and administration.
    • Gather technical information about all network components.
    • Identify different industry standards which network security complies to.

    The third phase is the Analyzing phase which is in place to follow-up on previous steps
    • Review interviews.
    • Analyze the results of previous or recent vulnerability assessments.
    • Analyze security vulnerabilities and identify risks.
    • Perform threat and risk analysis.
    • Analyze the effectiveness and usefulness of existing security controls.
    • Analyze the effectiveness of existing security policies.

    The fourth phase is the Evaluation phase
    • Determine the probability of exploitation of identified vulnerabilities.
    • Identify the gaps between existing and required security measures or mitigations.
    • Determine the controls required to mitigate the identified vulnerabilities.
    • Identify upgrades required to the network vulnerability assessment process.

    The fifth phase is where we are Generating Reports. The result of the analysis must be presented in a draft report and should be evaluated.
    This report should contain
    • Task rendered by each team member.
    • Methods used and findings.
    • General and specific recommendations.
    • Terms used and their definitions.
    • Information collected from all phases.

    All document should be stored in a central database for generating the final report.
    Certified Security Geek