This review composed by minitool.com gives a general introduction to vulnerability assessment of the computing field. It introduces the necessity and types of vulnerability assessment. Also, it compares vulnerability assessment with penetration test for differences.
Vulnerability Assessment Definition
In general, vulnerability assessment can have two kinds of meanings with one involves in the computer field and the other relates to the earth atmosphere system. Here, we will talk about the former.
What Is a Vulnerability Assessment?
Vulnerability assessment is a process of defining, identifying, and classifying the security holes in information technology systems. A hacker can exploit a vulnerability of a system to attack the system and cause damages and loss.
Some well-known vulnerabilities are authorization vulnerability, authentication vulnerability, as well as input validation vulnerability.
Why Need to Perform Security Vulnerability Assessment?
Threat vulnerability assessment will find the vulnerabilities in a target system. The vulnerability assessment report conveys to stakeholders that the system is secured from those vulnerabilities. If an attacker gets access to a network consisting of vulnerable web servers, it also means that the intruder gains access to those systems.
Thanks to the vulnerability assessment report, the security administrator can determine how intrusion happens, identify compromised assets, and carry out proper security actions to prevent great damage to the system.
Before deploying a system, it must go through a set of risk and vulnerability assessments to ensure the build system is secure from all the known security risks. If a new vulnerability is found, the administrator will conduct an assessment again, discover which modules are vulnerable, and start the patch process.
When the fixes finish, another assessment will be performed to verify that the vulnerabilities are completely patched. This cycle of assessing, patching, and re-accessing has become the standard methodology for many organizations to manage their security problems.
Types of Vulnerability Assessment
According to the target systems, there are several kinds of vulnerability assessments.
#1 Host Vulnerability Assessment
A host vulnerability assessment checks for system-level vulnerabilities like insecure file permissions, application-level bugs, backdoors, as well as trojan horse installations.
Host vulnerability assessment needs specialized tools for the system and software packages being used, besides administrative access to each system that should be tested. It is usually costly in terms of time. So, it is only applied to critical systems.
#2 Network Vulnerability Assessment
Within a network vulnerability assessment, one assesses the network for known vulnerabilities. It locates all systems on a network, determines what network services are in use, and then analyzes those services for potential vulnerabilities.
Such a process doesn’t need any configuration on the systems being assessed. Unlike host vulnerability assessment, network vulnerability assessment requires little computational cost and effort.
Vulnerability Assessment Tools
There are many popular vulnerability assessment tools and some of them are listed below.
- Arachni
- Comodo HackerProof
- COPS
- Golismero
- Intruder
- Microsoft Baseline Security Analyzer (MBSA)
- Nikto2
- OpenVAS
- Retina CS Community
- SolarWinds Network Configuration Manager
- Tiger
- W3AF
Vulnerability Assessment vs Penetration Testing
Both vulnerability assessment and penetration test are methodologies for finding threats and risks. Yet, they are different in some aspects.
1. Use Frequency
Usually, vulnerability assessment should run continuously, especially after new equipment is loaded, while penetration test is expected to run once a year.
2. Application
Vulnerability assessment is performed by in-house staff to increase expertise and knowledge of normal security profile. however, penetration exams are carried out on independent outside service.
3. Reports
The vulnerability assessment report has a comprehensive baseline of what vulnerabilities exist and changes from the last report. yet, the report of a penetration test is short and to the point; identifies what data was compromised.
4. Metrics
Vulnerability assessment lists known applications’ exploits that may be taken advantage of. While penetration test finds unknown and exploitable exposures to normal business processes.
5. Cost
Vulnerability assessment’s expense is low to moderate and counts around $1200 per year plus staff time. In contrast, penetration test costs about 10 thousand dollars every year outside consultancy.
6. Value
Vulnerability assessment plays a role in detective control. It detects when equipment is compromised while penetration testing is used to reduce exposures as a preventative control.