In a recent Ponemon Institute Research Report, 90% of respondents said that their company’s computers were breached at least once over the past 12 months. New network, system, application and database vulnerabilities are emerging every day, compelling security professionals to reassess their approach to protecting networks.

As an important tool for information security management, a vulnerability assessment can spot the weaknesses in your security defenses before an attacker can exploit them. A Vulnerability Assessment identifies, quantifies, and prioritizes the Information Security strengths and weaknesses of your organization’s computing environment from a technical perspective. Vulnerability Assessments should be performed in the following conditions:

• During the design and development of any new IT system
• After any upgrades to your organization’s IT infrastructure or applications
• As part of your ongoing organizational due diligence
• As part of regular compliance reporting, such as PCI-DSS, ISO 27001 etc.

Trustaira’s vulnerability Assessment service will identify the key information assets of your organization, determine the vulnerabilities that threaten the security of those assets, provide recommendations to strengthen your security posture and help mitigate risk allowing you to focus your IT resources more effectively. Our experienced security experts work with customers to ensure that the scope of work/deliverables exceeds expectations.

The deliverables will do the following:

• List of discovered vulnerabilities and associated risks
• Identify high risk areas requiring immediate attention
• Identify requirements for improving security policies and processes
• Recommend an action plan and remedial measures which may include security best practices and infrastructure re-design

The results of Vulnerability Assessments performed by Trustaira help your organization develop a complete security road map.

A typical Vulnerability Assessment will have the following work flow:

1. Defining Scope– We closely work with the customer during this phase to define goals, scopes, timeline and budget of the engagement. Initially customer completes a predefined questionnaire and later scoping meetings with the customers are held to plan and schedule the penetration test properly.
2. Information Gathering and Analysis– Collection and verification of information on the infrastructure, system, application, network, staffs etc is done during this phase. Both manual and automated tool based information collection is performed. This information is plotted and mapped to form a complete picture of the system as well as development of threat model and attack scenarios.
3. Vulnerability Detection– An analysis will done on the information obtained to determine any possible vulnerability that might exist. This involves using both manual and automated techniques.
4. Reporting– We prepare a comprehensive and deep analysis of the vulnerabilities in details. It also includes recommendations on how to mitigate the discovered vulnerabilities.

The workflow is very much similar to penetration testing, with the major difference concerning the process of discovering vulnerabilities. While penetration testing is a real-world attack simulation, during vulnerability assessment our experts do not exploit any of the vulnerabilities found.

Threats are constantly evolving and changing in the cyber world. It’s not a question of if you will be attacked, but when!!! You have to know exactly how vulnerable your most critical assets are to cyber-attacks. Ethical hacking today will protect your system from unethical hacking tomorrow by identifying the weak points in your defense mechanism. Find Your Security Weaknesses Before the Hacker Do.

“Are You Vulnerable to Attacks?“To answer this question; an organization must perform a Penetration Test (Often called Pen Test). It is a controlled process which simulates a real-world attack from malicious users on an organization’s information security arrangements, often using a combination of methods and tools. A penetration test must be conducted by a certified ethical penetration tester, who will use their expertise to identify specific weaknesses within an organization’s security arrangements. Penetration Testing is normally done when some kind of security is already implemented.

It should be performed in the following conditions:

• Testing the current intrusion detection and response capabilities
• During the design and development of any new IT system
• After any upgrades to your organization’s IT infrastructure or applications
• As part of your ongoing organizational due diligence
• As part of regular compliance reporting, such as PCI-DSS, ISO 27001 etc.

A typical penetration testing will have the following work flow:

1. Planning and Preparation- We closely work with the customer during this phase to define goals, scopes, timeline and budget of the engagement. Initially customer completes a predefined questionnaire and later scoping meetings with the customers are held to plan and schedule the penetration test properly.
2. Information Gathering and Analysis– Collection and verification of information on the infrastructure, system, application, network, staffs etc is done during this phase. Both manual and automated tool based information collection is performed. This information is plotted and mapped to form a complete picture of the system as well as development of threat model and attack scenarios.
3. Vulnerability Detection– An analysis will be done on the information obtained to determine any possible vulnerability that might exist. This involves using both manual and automated techniques. The completion of the vulnerability detection will produce a definite list of targets to investigate in depth.
4. Exploitation– Penetrations are attempted at these targets that have their vulnerabilities defined with the intention to gain access in the system by passing the security restrictions. It is also tried to keep access in the system as many days as possible for later use. We also try to remove all the access traces and logs from the system to ensure that this exploitation attempt doesn’t come into attention.
5. Reporting– Finally we prepare a complete report for your organization. It will contain summery and details of the vulnerabilities and risks present in the system. Priorities are assigned based on the threat severity level. Successful penetration scenarios are mentioned. A complete recommendation is given for overcoming the vulnerabilities present in the system with future development.

Penetration Testing Scopes:

• Internal/External Penetration Testing
• Intrusion Detection and Incident Response Testing
• Wi-Fi and Internet Analysis
• Web Application Testing
• Social Engineering
• Mobile Application
• Code Review

As already mentioned, the workflow of vulnerability assessment and penetration testing has a lot of similarities. The major difference between them is that the vulnerability assessment does not actively exploit the identified problems to determine the full exposure or validate its existence which can lead to inaccuracies in the report (false positives) whereas penetration testing is a real-world attack simulation.