Process Involved in security assessments-
- Identification. Determine all
critical assets of the technology infrastructure. Next, diagnose
sensitive data that is created, stored, or transmitted by these
assets. Create a risk profile for each.
- Assessment.
Administer an approach to assess the identified security risks for
critical assets. After careful evaluation and assessment, determine
how to effectively and efficiently allocate time and resources
towards risk mitigation. The assessment approach or methodology
must analyze the correlation between assets, threats,
vulnerabilities, and mitigating controls.
- Mitigation.
Define a mitigation approach and enforce security controls for each
risk.
- Prevention.
Implement tools and processes to minimize threats and
vulnerabilities from occurring in your firm’s resources.
The different security assessment types
are:
- Vulnerability Assessment: A significant
security assessment type, vulnerability assessment involves
identifying, quantifying, prioritizing, and classifying
vulnerabilities and threats in a system or its environment, while
offering information to rectify them.
- Penetration Assessment: Penetration test or
pen test, as it is commonly known, is a process of intentionally,
yet safely, attacking the system and exploiting its
vulnerabilities, to identify its weakness as well as strength. Pen
test helps validate the effectiveness of various security measures
implemented in the system, as well as its adherence to security
policies.
- Red Team Assessment: Though quite similar to
penetration assessment, red team assessment is more targeted than
the former. It identifies the vulnerabilities in the system as well
as gapes across an organization’s infrastructure and defense
mechanism. In short, the objective of this assessment is to test an
organization’s detection and response capabilities.
- Security Audit: Security audit is an extensive
and thorough overview of an organization’s security systems and
processes. It offers in-depth reviews of system’s physical
attributes as well as identifies gaps in the security policies, and
conducts major vulnerability assessments. This is an extremely
important type of assessment, as it validates conformance with
standard security policies.
- White/Grey/Black-Box Assessment: Though
grouped together, these assessments cater to different attributes
of the system as well as organization’s infrastructure. They
indicate the quantitative and qualitative estimation of the
internal information shared with the tester. In white-box
assessment the tester has full knowledge of the internal
workings of the application or the system. Whereas, in
gray-box assessment limited information is shared
with the tester. In black-box assessment the
internal information of the system as well as its environment is
not required, moreover, this is performed from the perspective of
the hacker.
- Risk Assessment: During this type of security
assessment, potential risks and hazards are objectively evaluated
by the team, wherein uncertainties and concerns are presented to be
considered by the management. Additionally, it brings the current
level of risks present in the system to the one that is acceptable
to the organization, through quantitative and qualitative
models.
- Threat Assessment: Threat assessment is the
process of identifying, assessing, and managing potential threats,
and determining their credibility as well as seriousness. It
measures the probability of detected threats becoming a real risk.
In short, this assessment type is quite different from others as it
is more focused on physical attacks rather than making
assumptions.
- Threat Modelling: Threat modelling is a
process of apprehending and reporting vulnerabilities, risks and
threats, by evaluating risks from the perspective of the hacker. It
helps identify, enumerate and prioritize issues and risks, while
assessing their impact on the system’s functioning.
- Bug Bounty: Bug bounty is the most effective
way of finding security vulnerabilities in the system. It comprises
various professional testers, who test the system for any security
breaches and issues through thorough assessment.