Penetration Testing

Penetration tesTing

vulnerability assessment

Penetration Test

A Pen Test review is a survivability and resilience test that may be used in conjunction with any other VA level (See Below).

It is intended for system identified specific requirements in this area. (e.g. Web Servers having to survive a Denial of Service attack).

This will involved the use of specialist personnel, both manual and automated tools. Testing both Physical and Procedural Security measures.

Penetration testing

Surviveability

and

resilience Test

Vulnerability assessment

A Vulnerability Assessment (VA) is the process of actively testing the defences of networks and systems to see if they are susceptible to any exploitable vulnerability.

It can be viewed as a measure of how effective the electronic security environment (ESE) process, mitigations and controls have been implemented. A VA is conducted at different levels

Vulnerability Assessment Levels

Basic Compliance Assessment. This consists of a basic configuration check of the Electronic Security Environment (ESE), processes, mitigations and controls to establish whether a system is correctly configured and supported, to meet the security measures specified in its security policy documentation set. Consisting of manual and automated tests using review tools and pre-scripted tests.

VA-1—Basic Assessment: A VA 1 will identify all system and connected network elements, analyse topology and locate vulnerabilities and/or initial entry points. The assessment consists of a network survey and a basic scan typically performed with automated tools.

VA 2—Intermediate Assessment. A VA 2 demonstrates that the basic vulnerabilities discovered during VA-1 could be used to gain further access within the system, or compromise its integrity or confidentiality. This will typically use manual and automated tools.

VA 3—Enhanced Assessment. A VA 3 aims to identify exploits which can be used against those vulnerabilities identified as part of the VA 1 and 2 in order to gain access, exploit trusted relationships, exploit new vulnerabilities. A VA 3 may involve specialist personnel, automated and pre-scripted tool sets.