What is a Vulnerability Assessment?
What is a Vulnerability Assessment?

Vulnerability assessments, vulnerability scanning, and even penetration testing (pentest) are terms that are often misunderstood or misused.

The fact is, these are all very different tests but all play a part into a large security plan to reduce risks facing an organization.

So, what exactly is a vulnerability assessment?

A vulnerability assessment generally starts with a vulnerability scan. A scanning tool like Nessus professional or OpenVAS can provide a robust analysis of a network’s security posture. These tools work by scanning and detecting missing security patches, or open ports on a network’s IP space then provides a comprehensive report back to the operator. The vulnerabilities are then ranked based on their severity published in the list of Common Vulnerabilities and Exposures (CVE).

Let’s talk now about a vulnerability assessment. An assessment takes into account the vulnerability scan and other factors to include specific threats to your industry or company and prioritizes the results to protect the data you’re most concerned about.

Limitations of a vulnerability assessment

A vulnerability assessment is passive in nature and is there to educate decision makers about vulnerabilities that may be exploited by an attack. A vulnerability assessment may note whether a specific vulnerability has been successfully exploited but will not demonstrate how a weakness could be used.

This is where a pentest comes in. A pentest will take a company’s vulnerabilities and attempt to expose them through whatever means necessary. With written permission, an ethical hacker can try to gain access through the vulnerabilities by using tools and a hacker’s methodology. This form of testing is the most intrusive but provides an excellent understanding of a company’s current security posture.

Share this content:
Related posts: