VULNERABILITY ASSESSMENTKnow the Threats to Your Information Systems Before the Wrong People Do
What Is a Vulnerability Assessment
A vulnerability assessment is a holistic review of the threats to your information systems. Not only does it look at the vulnerabilities of your networked systems, but also your policies, procedures, physical, and human resources. The vulnerability assessment can explore the possibilities of threats in the environment, in your communications, and in your physical location. Most of the time, a vulnerability assessment will uncover much more than a penetration test because it looks for threats overall not just the first one that was exploitable.
What Is a Vulnerability Assessment
A vulnerability assessment is a holistic review of the threats to your information systems. Not only does it look at the vulnerabilities of your networked systems, but also your policies, procedures, physical, and human resources. The vulnerability assessment can explore the possibilities of threats in your environment, communications, and physical location. Most of the time, a vulnerability assessment will uncover much more susceptibilities than a penetration test because a penetration test reports exploited threats and not all of the vulnerabilities of your network, web applications, computer, and network hardware.
Assessments are used to identify, validate, and assess technical vulnerabilities. Assessments are required by NIST compliance requirements such as the DFARS/FAR CUI regulation. It is not meant to take the place of implementing security controls, but rather to help organizations confirm their systems are properly secured and identify any security requirements that are not met or that should be addressed. Without the understanding of your security threats you are in a dangerous position. Attackers prey on the systems that lack proper security controls. Most systems that are attacked don’t even know it. Most of those also go undetected for months. This could be the difference between being in business and being out of business.
Each of your Systems connected to the Internet could be at risk
Vulnerability Testing BenefitsNo organization wants to find out where their weaknesses are when they least expect it. Vulnerability assessments give you a holistic view of your information systems, not just the vulnerabilities that are on the network.
Comprehensive and Holistic
It provides a piece of mind that the system has been looked at from a physical, technical, environmental, and operational point of view.
Efficiency in ROI
There is a defined path to reduce discovered vulnerabilities in order of best return on investment. For example, if you patch a particular server, that may clear up 40% of the overall threats.
You will be able to spend you remediation time working on the threats that are of most concern not just the highest score on the Mitre CVSS ranking.
Threats change, people change, infrastructure change. Therefore, you will also understand when to assess the system again (annually, bi-annually, quarterly, monthly) that makes the most sense for your environment saving you money and providing the best balance for your needs.
How we do it
Duffy Compliance Services’ (DCS) enterprise management application ensures compliance
How Service is Conducted
Review of the following areas of the information system:
- Technical (the common, network-based threats such as Phishing, Misconfigurations, unpatched devices, and malware)
- Operational (procedures, insider threats, rogue devices used to bypass security)
- Physical (lighting, locks & card access, front entry access, escape routes, camera)
- Environmental (heat, moisture, fire, flood, weather, crime)
Information is collected into a report and the client is debriefed on the results. The report will explain the findings and how they relate to the information system. The final report section will contain a plan of action of remediation steps that the client can use to implement a more robust security posture.
Why Choose us?
DCS has worked on several large testing efforts for vulnerability assessments. These include DHS and a division of the NFL Players Association. We are equipped to handle security controls from across the different information system areas.