An information security assessment (also known as IT security assessment, security audit or security review) is an explicit study to locate IT security vulnerabilities/weaknesses and identify risks.  The objectives of security assessment is to ensure that necessary security controls and mechanisms are integrated in the overall framework and implementation of an organisation's IT infrastructure. 

 

Security assessments are typically done with the full cooperation of the organisation being assessed, i.e. the organisation grants the assessor (e.g. Mobiliance) access to its facilities; provide it with access to its networks and systems; and outline available information about its IT infrastructure and environment.  Both the assessor and the organisation understand that the goal of the assessment is to study the security posture of the latter's IT environment and identify possible improvements to secure such systems and mitigate any identified risks.  In some cases, the assessment can focus on specific projects or departments within an organisation.

 

The output of a security assessment engagement is documentation (i.e. report) outlining security weaknesses/gaps between corporate security policies (and/or applicable regulatory standards) and the security posture/status of the organisation's IT environment.  Management can then address the findings by accepting the risks based on an informed risk / reward analysis, allocating necessary resources to mitigate any gaps or taking out vulnerable systems (or projects) altogether.

 

For more information about the security assessment methodology and see an outline of a sample report, feel free to contact us via email to info@mobiliance.com or filling up the form in our Contact-Us page.

 

Most organisations actually want or need a vulnerability assessment (VA) even though many confuse it with another term, namely penetration testing.  Vulnerability assessment involves the process of identifying and quantifying vulnerabilities in networks and systems.  Such vulnerabilities represents potential risks to an organisation's critical IT systems that may be exploited by a variety of security threats.  Vulnerability assessment focuses on a broad review, i.e. the objective is to identify as many issues as possible.  This type of service should be tapped by organisations who already know they have many issues and simply need assistance in identifying and prioritising them.

 

An assessor like Mobiliance offers vulnerability assessment as part of our Security Assessment service.  However, we can also provide a separate Vulnerability Assessment service.

 

Penetration testing (or simply "pen test") is a method of assessing the security of a network or computer system by simulating an attack by a hacker.  The process will typically involve an active analysis of the system for any weaknesses, technical flaws or vulnerabilities.  As it is done in the context of a malicious hacker, penetration testing usually involves the active exploitation of security vulnerabilities.

 

Penetration testing focuses on depth as opposed to a broad front approach.  Its goal is to try to find ways for the security framework to fail instead of discovering all possible vulnerabilities and associated risks. 

 

White box testing refers to situations wherein the testers (or assessors) are provided by the client organisation with more or less complete knowledge of the organisation's IT infrastructure prior to an assessment or testing.  The information provided includes network diagrams, IP addressing information, system information, documentation, source code (if applicable), etc.  In contrast to this, black box testing assumes no prior knowledge of the infrastructure or environment to be tested.  The testers or assessors must therefore determine whatever information may be needed prior to commencing an assessment and analysis.  This stage of black box testing can often be time consuming.

 

One supposed advantage of black box testing is that it closely simulates the actions of real hackers.  On the other hand, the information gathering stage of black box testing can be time consuming and a more efficient (and less time consuming) approach is to assume that a potential hacker already knows all of the required information then proceed with the white box testing approach.  In general, penetration testing is black box approach.  On the other hand, vulnerability assessment can be done either via white box or black box testing.