Vulnerability Assessment

commissum's monthly managed vulnerability assessment ensures continued network security.

With about eight thousand vulnerabilities being discovered in commercial software annually, can you really afford to wait twelve months between penetration tests? While most vulnerabilities will not affect your organisation’s infrastructure, even if one percent impacts upon your environment, you could be exposed to twenty a quarter or almost seven per month on average.

Our managed monthly scanning is designed to complement full penetration testing, once this CREST level of detailed testing has established the impact of exploiting a vulnerability and breaching you defences.

By way of analogy

If your son comes in from the pub at two in the morning and leaves his keys in the door, that is a vulnerability. A vulnerability scan will find and report this, and will offer suggestions for mitigation such as "Remove his keys – but you need to get up at two in the morning to let him in", "Install a swipe card system" or even "Kick him out of the house!"

A penetration tester, on the other hand, would go up to the door and turn the keys and handle, only to find your son had been sober enough to bolt the door from the inside; ie the "high" risk presented by the vulnerability has been mitigated. The tester would then take the keys and try the back door, and identify that the keys for his car are also on the key-ring, exposing this asset to theft. In other words, the vulnerabilities are assessed for potential exploitation to determine the true business impact and not just the theoretical vulnerabilities.

Our Monthly Managed Service is designed to follow on after the full penetration test has established the impact (the stolen car), and will check that the underlying vulnerability is mitigated. In the analogy above, it would show every month whether the keys were still in the door or had been removed (i.e. mitigated). It would also indicate if they returned after a period of absence. This perhaps corresponds to notification of a server that has been restored from backup and not subsequently patched, which would equate to an episode of binge drinking in the analogy.

Overall, the Managed Scanning Service is the equivalent of a security guard regularly checking that all is well. A recent example of a successful outcome using a managed service provider was the exposure of data records that had not been exposed by the penetration test, but which appeared only after a firewall upgrade. The security scanning service discovered them, and the issue was quickly resolved before the public became aware of it.

• Outsourced CISO
• Interim Security Management
• Unified Governance
• Business Continuity Management
• ISO 27001 Audit
• Information Security Policy
• Managed Services
  • Managed Network Vulnerability Assessment
  • PCI ASV
  • Monthly Web Application Scanning
  • Blended Code Review