A vulnerability assessment is a method of automated scanning and looking at your devices, located on your network, to identify any present security vulnerabilities through the process of automatic scanners. By performing these scans, you are actively working to safeguard yourself and your business by identifying any security vulnerabilities before they can be exploited by malicious actors.
Vulnerability scanners work by scanning devices that have been selected in the scope of the test and then when probing the network, they are looking at what services are being presented to the scanner. The scanner, upon access, will then look at the version and banner information presented at the time of interrogation and reference this information against a database of known vulnerabilities.
If a threat is found, it is usually based against the standard scoring system CVSS. This CVSS scoring system ranges from 0 to 10, 0 being informational and 10 is critical.
How does it benefit you?
Vulnerability scanning or performing a vulnerability assessment can help your business because it allows you to check the security threat landscape of your business. By performing these scans, you can identify trends in patching and updating of software as well as checking to ensure that you aren’t running unsupported software.
By performing regular scanning within your environment, you can not only keep an eye on your environment, but you can also ensure and provide evidence to external auditors that you are doing your utmost to ensure the safety and protection of information.
If you develop software or deploy various types of infrastructure by having a vulnerability program in place you can help to develop and implement a Vulnerability Management Program (VMP) within the business and increase your secure development program by checking your development and QA environments before you go into production.
It is however not as in-depth as a penetration test, where a security consultant will manually look at vulnerabilities and system weaknesses and try and infiltrate your system.
How can InfoSec Governance help?
Here at InfoSec Governance, we can perform a vulnerability scanning service on your behalf, by connecting to your network via a Virtual Private Network (VPN), we can connect to your network and scan your devices for the vulnerabilities, and then once completed, provide a findings report on what was found and what needs remedial work.
The findings report will detail what was found, where it was found and include screen shots or evidence for your reference. Along with this information, we would also provide additional information for remediating the vulnerability. This could be linked to manufacturers websites, how to fix websites or suggestions on what to do.
The vulnerability assessment can come in two forms, a non-authenticated scan and an authenticated scan. A non-authenticated scan will scan your network and attempt to identify all the vulnerabilities by checking what software you have in place and any known exploits for version information fund.
When you perform an authenticated scan, you, the business, would provide InfoSec Governance with a dedicated user account that has local administrative access to all the machines on the network, this would allow the scan to perform additional checks on the devices, such as what applications are installed, local security policies, and more. Generally allowing to provide a great depth of information as more access is granted.
There are pros and cons to these two forms of scanning. Depending upon your environment you may not be happy providing credentials to a 3rd party provider to access all your systems. If this is the case, then we can perform the non-authenticated scanning and provide as much information as possible. But beware this would return as much information as the authenticated scanning option.
The vulnerability scanning service is based on a monthly subscription model (minimum 12 months subscription) and we would perform a scan each month and report the findings to you securely. The payments would be via direct debit.
If this service sounds of interest and you would like to discuss it further, please get in touch with us to see how you can start the process.