Vulnerability Assessment

Ignorance may be bliss, but not in the security arena. You must discover what vulnerabilities exist, where they are, which vulnerabilities pose an actual threat, and determine how much of a threat those vulnerabilities are to your organization's assets and business processes.

Physical Vulnerability Assessment

Physical vulnerability assessments consist of overt physical security inspections and "sanitation reconnaissance" before, during or after organizational business hours.

Work Area: Physical Vulnerability Assessment

Focus: Physical vulnerability assessments help determine whether the physical access controls in place at the organization are sufficient to deter unauthorized access and whether data destruction procedures are sufficient to prevent sensitive and/or non-public data from being discarded as refuse.

Scope: We conduct walk-through inspections of the facility during and after business hours to determine the adequacy of physical security controls, and the availability of sensitive or non-public information if those physical security controls are breached. We conduct "sanitation reconnaissance", otherwise known as dumpster diving to retrieve sensitive and non-public information from the organization's refuse containers.

Results: The results of the overt physical security inspection(s) is/are a prioritized list of missing or inadequate physical security controls within the organization and appropriate mitigation strategies. The results of sanitation reconnaissance is a report of the amount and type of sensitive information discarded as waste by the organization and recommendations for additional controls and training to mitigate the physical vulnerability threat.

Logical Vulnerability Assessment

Logical vulnerability assessments consist of discovery and analysis of the vulnerabilities available to an attacker from the Internet and from inside the network itself.

Work Area: Logical Vulnerability Assessment

Focus: Logical vulnerability assessments determine which known vulnerabilities exist in the operating systems, applications and network devices used within the organization's infrastructure.

Scope: We conduct automated and manual vulnerability discovery on all Internet-facing and internal hosts and devices authorized by the organization. Our tests are configured not to cause a Denial of Service condition in a well-maintained network.

Results: Initially, a list of the known vulnerabilities present in the organization's network. This list is then analyzed, based on the latest vulnerability severity information and considered mitigating controls placed into operation within the organization. The final result is an ordered list of vulnerabilities that could potentially be used to compromise the organization's infrastructure.

The mere existence of any vulnerability does not mean that it is a threat to your network. Both physical and logical penetration testing exploit discovered potential vulnerabilities to determine which vulnerabilities present in the organization's network can be exploited and the degree of control or exposure that the organization can expect after a successful exploitation.