VULNERABILITY ASSESSMENT
We help to identify, quantify and categorise potential security risks in your environment. Let our vulnerability assessment service provide insight into security risks affecting your infrastructure.
Get In Touch
What is a Vulnerability Assessment?
Vulnerability assessment is a method to identify and classify threats affecting an asset i.e. a server, a workstation or a device. Cyphere’s Vulnerability Assessment service helps businesses by identifying, quantifying and categorising security risks with ongoing support and guidance for their remediation.
Why is Vulnerability Assessment important?
The speed with which new vulnerabilities are discovered in various products makes it important to identify and mitigate risks before hackers exploit any flaws. It is a crucial element for risk assessments.
Cyphere offers this exercise with added human intelligence added to remove false positives. However, this is not a concentrated manual effort as demonstrated via penetration testing. These assessments are a useful way to assess larger networks regularly in shorter time periods and are a useful way to prepare for penetration testing.
Vulnerability assessment and tools
An assessment is performed using vulnerability scanning tools to scan for known vulnerabilities. These vulnerability assessment tools are a mix of open-source and commercial software such as Nessus, Qualys, OpenVAS and so on. Depending upon the scope, further scripts, tools and utilities are used relevant to web applications, networks and/or devices. To scan web applications from the outside, vulnerability assessment includes use of scanning tools to identify security flaws such as SQL Injection, Cross-site Scripting (XSS), Command Injection, Path Traversal and insecure server configuration. Read list of OWASP Top 10 application security risks here.
Don’t make a mistake of buying a vulnerability scan disguised as a vulnerability assessment. The goal of the vulnerability assessment process is to perform vulnerability scans and provide a list of vulnerabilities affecting your network, added with security expertise in removing false positives and explain the attack impacts and likelihood of exploitation. This accuracy when fed into the risk remediation process, makes it effective risk assessment for a business.
Minimise costs, maximise efficiency
Vulnerability Assessment methodology
Discovery
First step of vulnerability assessment process is to profile the target, i.e. a network, a server, or a device. This is a non-intrusive exercise and involves activities like analysing the network, understanding the different assets and services, operating systems, programs in use, and anything related to network layout. This is a fundamental step and helps to prepare for the next stage of finalising targets and finding weaknesses.
Vulnerability Scanning
This phase includes running vulnerability scanner excluding any dangerous plugins to find weaknesses in the scoped systems. This exercise is scheduled in automated fashion unless explicitly agreed to limited timescales with a customer.
Vulnerability Analysis
The prioritised list of targets is scanned for vulnerabilities. This assessment involves checking both published as well as undocumented vulnerabilities against the target assets. We sift through the scan results for false positives. The manual assessment ensures focus on verified vulnerabilities only.
Reporting
The assessment-execution phase is followed by the analysis & reporting. Cyphere performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels.
Debrief & Support
Cyphere takes customer communication as seriously as reporting or assessment execution. We engage with customers during all stages and ensure that customer contacts are up to date in the language they understand. Post engagement, a free debrief is conducted to help the customers understand the weaknesses and prepare a mitigation plan. Phone and email support is available after the project completion.
Benefits of Vulnerability Assessments
- Identify assets at risk of cyber attacks
- Validate your security controls
- PCI DSS, ISO 27001, GDPR Compliance support
- Gain visibility of your assets across the estate
- Inputs to your security strategy through risk severities and actionable guidance
Our Engagement Approach
Customer Business Insight
Services Proposal
Execution and Delivery
Cyphere’s approach to vulnerability analysis work involves excellent communication before and during the execution phase. Customer communication medium and frequency are mutually agreed, and relevant parties are kept updated throughout the engagement duration.
Data Analysis & Reporting
Execution phase is followed by data analysis and reporting phase. Cyphere performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels
Debrief & Support
Your trusted partner in pen testing
Recent Blog Entries
3 Principles of Information Security (Threats & Policies)
Read about 3 principles of information security and difference between information and cyber security. Further details include basics around security policies and their importance.
Top 7 API Security Risks (including prevention tips)
With APIs meteoric rise, most of our important data is consumed by API endpoints. It is important to ensure security is not an after thought. Read about top API security risks, attack examples and prevention measures.
Brexit and Data Protection | UK GDPR Law
Explaining the differences between DPA vs GDPR, for those wondering the differences between DPA and the newest GDPR legislation.
Top 6 Healthcare Cyber Security Threats and Best Practices (2021)
Healthcare troubles have worsened in 2020, facing two-pronged attack – Pandemic and Cyber Threats. Read our article detailing cyber security threats and best practices to follow in the healthcare sector in 2021. Discover more.
Facts About Computer Viruses & Malware (including 6 Virus Myths)
Read about interesting fun facts about computer viruses, their history and types. A fun read to beat your post lunch blues.
eCommerce Security : Cyber Threats & Best Practices (2021)
eCommerce platforms such as BigCommerce, Magento, Shopify are an attractive target for attackers. Learn what are the cyber threats facing eCommerce sector and best security practices to secure these businesses.
OWASP API Security Top 10 (With examples & fixes)
OWASP API Security Top 10 are the go to standard for API security. This article presents attacks, examples and how to prevent API security attacks. Discover more on thecyphere.com.
OWASP Top 10 Application Security Risks (With Examples & Recommendations)
OWASP Top 10 Web Application Security Risks are the go to benchmark against web application attacks. This article presents attacks, examples and how to prevent these web application attacks. Discover more on thecyphere.com.
Top 7 Office 365 Security Best Practices (includes Actionable Tips)
Office 365 security best practices with actionable tips to improve your organisations’ security posture. We highly believe that with products, it’s more important to get the best out of product features first before investing into high end consultancies or shopping new products. We hope this article offers a useful advice for your organisation.
Red Team vs Penetration Testing – Which one is the right choice for your business?
With cyber threats increasing at exponential rate, defensive techniques must evolve at the same rate. Red Team vs Penetration Testing – Which one is the right choice for your business? Both have pros and cons, but what’s best for your environment. Whether you should do it, when not to do it, benefits, costs and vendor selections.