Vulnerability Management and Assessment
Vulnerability Assessment Management is an in-depth process aimed at detecting and eliminating potential weak points in the company’s IT infrastructure. With countless interconnected components — servers and user stations to databases or application software — protecting data has never been so complex yet indispensable for businesses. Vulnerability Management is an integral part of ensuring complete security for a company’s IT infrastructure, which can include an array of components that require constant vigilance.
Our team provides an extensive evaluation of the security status surrounding a customer’s infrastructure. We investigate available open sources plus conduct external scans to determine any possible vulnerabilities. After analyzing results and performing risk assessments, we further classify these identified weak points before carrying out tests for validation — ultimately providing clear data-driven evidence as tangible proof of our findings.
Passive identification of known vulnerabilities entails scanning or monitoring an organization’s systems to identify any existing risks before they can be exploited. This process is typically automated and involves regularly analyzing computer logs, network traffic, system configurations, and user accounts for anything that looks suspicious.
Active identification of vulnerabilities in specific, cyclical time windows involves regularly performing scans to check for new threats and identify any new security risks that may have arisen since the previous scan was completed. This helps ensure that all potential weak points within a system are identified and addressed before attackers can exploit them.
Analysis of detected vulnerabilities (confirmation of availability, risk assessment of use) to determine their severity and risk level involves verifying whether any identified threats actually exist and if so, determining the severity and scope of each threat's potential impact on the system or network in question.
Development of recommendations. After completing the initial assessment of the detected vulnerabilities, the RNB Team team develops recommendations for addressing them. The goal is to create an action plan which preserves the integrity and confidentiality of the organization’s data while minimizing disruption resulting from implementing countermeasures against identified threats.
Report for a management team that includes the goal and description of the service offered, the gradation of the level of risks, and all the specific information about the discovered vulnerabilities, threats, and the potential repercussions of their impact on the company's information assets.
A detailed report for IT or IS specialists provides data on vulnerabilities in networks that could allow attackers to breach security and gain leverage. In addition to describing the vulnerabilities found, it contains recommendations for closing valid vulnerabilities found.
An elaborate vision of the state of business security, the effectiveness of protection systems, the level of staff involvement in information security, and a useful tool for enhancing its protection, as well as guidance on addressing the vulnerabilities discovered and enhancing the information security management system.
Extensive evaluation and continuous support. As a result, our clients receive an extensive evaluation of the security status and further security maintenance necessary to protect businesses from cybercrime. This evaluation includes a comprehensive assessment of the system's security measures, a review of the security rules and regulations in place, and regular security maintenance and monitoring.
ISECOM OSSTMM 3 (Open Source Security Testing Methodology Manual) — a high-level methodology for testing security systems developed and supported by the Institute for Security and Open Methodologies.
OWASP (OWASP Testing Guide v3.0) — the industry standard for penetration testing of web applications and related technologies.
Penetration Testing Model (BSI) — research and study of methods and approaches to penetration testing.
ISACA IS auditing procedure P8 Security Assessment — penetration testing and vulnerability analysis procedure description to be followed during penetration testing.
PCI DSS v 3.2 11.3: Penetration Testing Requirements — requirements for conducting a penetration test for compliance with the PCI DSS v 3.2 standards.
ASV Security Scanning Procedure, PCI SSC — requirements for vulnerability scanning in compliance with the PCI DSS v 3.2 standards.
PTES (Penetration Testing Execution Standard) — an innovative methodology developed by a group of specialists in penetration testing, security auditing, and social engineering.
NIST SP800-115 (Technical Guide to Information Security Testing and Assessment) — a method of instrumental testing of the security of IT systems, mandatory for use by US federal agencies.
- Duration:
~ 1-2 days
- Input:
Client's expectations
- Evaluation:
Scope of work, cost, and timeline evaluation
- Outcome:
Signed contract
- Duration:
~ 1-2 days
- Input:
Scope of work
- Evaluation:
List of IPs, web app domains, roles, credentials, accesses, etc.
- Outcome:
Validated and confirmed gathering form
- Duration:
~ 1-2 weeks
- Input:
Validated scope of work and gathering form
- Evaluation:
Attacks execution, as stated by the scope and rules of engagement
- Outcome:
Report delivery meeting
- Duration:
~ up to 1 month
- Input:
Vulnerabilities fixes (client's side)
- Evaluation:
Additional technical consultations (if needed)
- Outcome:
Post-delivery support
Send a message, drop an email at [email protected], or schedule a meeting through Calendly!