Almost all ICT systems and applications carry security risks. Security professionals across the globe generally address these security risks by Vulnerability Assessment and Penetration Testing (VAPT). The VAPT is an offensive way of defending the IT assets of an organization. It consists of two major parts, namely Vulnerability Assessment (VA) and Penetration Testing (PT). Vulnerability assessment, includes the use of various automated tools and manual testing techniques to determine the security posture of the target system. In this step all the breach points and loopholes are found. These breach points/loopholes if found by an attacker can lead to heavy data loss and fraudulent intrusion activities. In Penetration testing the tester simulates the activities of a malicious attacker who tries to exploit the vulnerabilities of the target system. In this step the identified set of vulnerabilities in VA is used as input vector. This process of VAPT helps in assessing the effectiveness of the security measures that are present on the target system.
The purpose of the vulnerability assessment is to discover all systems on perimeter network and on the internal network those are exposed to internet and in the internal network and to assess these systems for securities vulnerabilities. Internal/External vulnerability testing and configuration reviews are performed against an appropriately sized sample of system and network devices representative of the environment to understand if platforms and devices are hardened against industry standard security standard. Testing is performed via internet, from an external perspective, and is limited to approved IPs or ranges. It is explicit that penetration tester should conduct vulnerabilities assessment consulting with concerned personnel and proper permission of the Client. Finally, remediation and recommendations must be performed.
The goal of this exercise is to identify vulnerabilities in ICT infrastructure and to recommend changes necessary for mitigating identified vulnerabilities and gaps. Such is to ensure that reasonable protection is in place for general and particular threats that may exist for ICT systems and infrastructure.