Assessment & Penetration
Vulnerability Assessment & Penetration Testing
As information security professionals, most of as are familiar with vulnerability assessments and penetration testing. Both are valuable tools that can benefit any information security program and they are both integral components of a Threat and Vulnerability Management process.
A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems. Such assessments may be conducted on behalf of a range of different organizations, from small businesses up to large regional infrastructures. Vulnerability from the perspective of disaster management means assessing the threats from potential hazards to the population and to infrastructure. It may be conducted in the political, social, economic or environmental fields.
Vulnerability assessment has many things in common with risk assessment. Assessments are typically performed according to the following steps:
Cataloguing assets and capabilities (resources) in a system.
Assigning quantifiable value (or at least rank order) and importance to those resources
Identifying the vulnerabilities or potential threats to each resource
Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An Internal Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed. An Internal Penetration Test mimics the actions of an actual attacker exploiting weaknesses in network security without the usual dangers. This test examines internal IT systems for any weakness that could be used to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organisation to address each weakness.
An External Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed to the outside world. An External Penetration Test mimics the actions of an actual attacker exploiting weaknesses in the network security without the usual dangers. This test examines external IT systems for any weakness that could be used by an external attacker to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organisation to address each weakness.
Web Apps Security
Web applications play a vital role in every modern organization. But, if your organization does not properly test and secure its web apps, adversaries can compromise these applications, damage business functionality, and steal data. Web applications have become common targets for attackers. Attackers can leverage relatively simple vulnerabilities to gain access to confidential information most likely containing personally identifiable information. Best Practice suggests that an organisation should perform a web application test in addition to regular security assessments in order to ensure the security of its web applications.
Mobile app penetration
Mobile application penetration testing is an in-depth and manual process, trying to identify and exploiting vulnerabilities in the application. Analysis and understanding of how the application works, including any security features is essential to successfully penetrate and exploit vulnerabilities in the application. Performing security assessments of mobile applications poses some unique challenges due to the variety of mobile devices and operating systems. Testing techniques vary based on device type and the nature of the application. We use dedicated physical devices as well as device emulators during the testing process. A code review is recommended to supplement runtime testing and can enable us to perform the most thorough assessment possible in the time allotted.
Generic App penetration
It’s the process to identify security vulnerabilities in an application by evaluating the system or network with various malicious techniques. Purpose of this test is to secure important data from outsiders like hackers who can have unauthorized access to system. Once vulnerability is identified it is used to exploit system in order to gain access to sensitive information.