VULNERABILITY ASSESSMENT

[find your vulnerabilities before hackers do]

DO I NEED A VULNERABILITY ASSESSMENT?

Vulnerability scanning has become a cybersecurity staple. Utilizing one or more "scanning" tools, your entire infrastructure(s) can be scanned for technical vulnerabilities. There are many reasons to do this:

Match up critical vulnerabilities with critical assets

Generate a list of the patches or other remediation that need to be applied

Identify (through the assessment process) all of the false-positives and false-negatives that exist

Satisfy PCI, HIPAA and NERC-CIP regulatory requirements

WHAT IF I NEED MORE THAN SCANNING?

We at GreyCastle Security give you the option of taking several additional steps, including:

  • Assessing the risk of individual applications, servers and networks based on standards and recommended practices
  • Defining standard configurations, called "baselines", for applications, servers and networks
  • Comparing standard configurations to what exists today
  • Applying changes to applications, servers and networks

HOW IS THIS DIFFERENT THAN A PENETRATION TEST?

There are important differences between a Penetration Test and a Vulnerability Assessment.


Function

Vulnerability Assessment

Penetration Test

Identification of ALL Technology Vulnerabilities

Analysis of False-Positives and False-Negatives

Vulnerability Scanning

OPTIONAL

Full Interaction with Client Team

Limited or No Interaction with Client Team

Social Engineering (Phishing, Vishing, Smishing)

Targeting of Critical Assets

Exploitation of People, Process, and Technology


Which one should you do? The answer is probably "both", depending on the problem you're trying to solve, the maturity of your cybersecurity controls and your regulatory requirements.