Vulnerability Assessments

A vulnerability assessment is designed to assess the adequacy and effectiveness of system security control measures in respect to a wide range of potential vulnerabilities.

The assessment team will attempt to identify missing system or application patches, system misconfigurations, and poorly hardened hosts. These tests are generally intended to be non-intrusive and will not interfere with network activity; however, as with any vulnerability assessment activity, there is a risk that some tests may interfere with the operation of servers, workstations and the network depending on system configurations. Tested backups and restore procedures should be available during assessment activities. 
 
It is also important to recognize that a vulnerability assessment may be prone to false positives. To verify which vulnerabilities are real and the impact of those vulnerabilities on your network and information resources, a penetration test should be performed. For internal vulnerability assessments, a review of network, system, and application configurations may be conducted based on client-provided platform-specific configuration guidelines and combined with the results from the vulnerability scans. This data will be incorporated into the analysis portion of the report, which will specify the actions needed (if any) to correctly configure and secure the environment.
 
Similarly, the team may conduct an industry best practice host-based configuration review of a sampling of hosts and servers as a component of the assessment. This review will further utilize vulnerability scanning tools to check the operating system configuration baselines of the sampled system components.