Technical vulnerability assessments

Our risk management methodology may be complemented with a vulnerability assessment, which, however, may also be used as a standalone service. From a professional point of view, all systems, even properly adjusted and functioning ones, have security gaps, that are not perceived or noticed by the user. These are partly caused by the unchanged use of default settings, which may later become vulnerable points of the system. Also, settings that are ?convenient? for the user increase vulnerability. The vulnerabilities detected in a given system are documented and managed by the suppliers themselves, who regularly publish patches or information on how the problem should be handled. The methodology we are currently using consists of 4 main elements: rule and documentation analysis, software-based system review, configuration analysis and questionnaire-based interview. A vulnerability assessment includes the review of the relevant system according to the above aspects. As a result, we identify not only open ports and ill-configured operating systems, but also those deficiencies of individual IT systems that may serve as access points for accidental or malicious attacks. Such reviews may be performed from the network (LAN, WAN, wireless) or by means of internal configuration analysis, using various system audit applications. In addition to such reviews, detailed analyses are also carried out based on a series of questions compiled by the experts of PROTAN, which are answered by the system administrator. This may reveal vulnerabilities that cannot be detected with the automatic system. As part of the analysis, each configuration item of the relevant tools is also evaluated, which requires the participation of competent experts since this kind of analysis cannot be automated. The four complementary reviews and the detailed on-site audit ensure that no unexpected problems later appear in the system. We provide the customer with a written report on our findings. If necessary, further methodological elements can be added to the analysis, such as checking whether the recommendations of a security audit performed upon system introduction/delivery have been implemented. To reach the targeted security level, all information systems used throughout an organization need to be taken into account, and technical vulnerability assessments must be carried out on a cyclical basis. To achieve that goal, the checks to be performed within a cycle must be planned at the beginning of each cycle. An appropriate internal procedure must be established to facilitate the implementation of the recommendations of the technical vulnerability assessments, with special regard to the fact that a higher level of security, or the maintenance of the existing level, often calls for additional financial resources. A properly designed procedure ensures the availability of financial or other resources to the appropriate extent and at the appropriate time, which guarantees the long-term increase or maintenance of the security level in the medium or long term.

Methodology:

  • review and analysis of system documentation,
  • software-based vulnerability scanning,
  • configuration analysis,
  • questionnaire survey based on personal interviews,
  • implementation of the recommendations of security audits performed during the investment,
  • review the findings of earlier audits,
  • consultancy, cost estimation concerning the management of the vulnerabilities identified,
  • making cyclical plans for technical vulnerability assessments,
  • developing the procedure of technical vulnerability assessments.