A vulnerability assessment is the process of identifying vulnerabilities in computers and networked systems, known as vulnerabilities and exploits. It is important that vulnerability assessments be differentiated from penetration tests. A vulnerability assessment is a form of “non intrusive” testing and only reports vulnerabilities. Penetration tests are “intrusive” and actively penetrate and exploit vulnerabilities and can be destructive to network systems and applications. The vulnerabilities detected in a vulnerability assessment are assigned a risk ranking and prioritized to ensure the highest impact and the highest likelihood threats are identified and addressed first to reduce the likelihood of a security attack in order to improve your overall security posture.
Vulnerability Assessment consists of several phases:
- Information Discovery/ Port Scanning/ Enumeration
- Defining and classifying network or system resources
- Assigning relative risk levels of importance to the resources
- Identifying potential threats to each network resource and device.
- Identifying exploitable vulnerabilities (Exploits run and verified in Penetration Test)
- Assign remediation strategy to reduce security risks discovered