Introduction to Vulnerability Assessment

What is Vulnerability Assessment? 
Vulnerability Assessment is the process that identifies and classifies the vulnerability in a system. The vulnerability are performed in various systems such as IT systems,nuclear power plants, water supply system,etc. Vulnerability from the perspective of disaster management means assessing the threats from potential hazards to the population and to infrastructure. It may be conducted in the political, social, economic or environmental fields.

The steps involved in Vulnerability Assessment:

  • Classifying capabilities and assets(resources) in a system.
  • Assigning quantifiable vaule and importance to the above resources.
  • Identifying the vulnerability in each resources.
  • Mitigating or eliminating the most serious vulnerabilities for the most valuable
  • resources

Standard risk analysis is mostly interested in exploring and examining the risks surrounding a given asset or resource (in the IT industry’s case, digital information, the continued smooth operation of a program, or the unimpeded performance of an OS or network) as well as its function and design. Such assessments tend to concentrate on the direct consequences and root causes for the failure of the scrutinized object.

In contrast, vulnerability assessment is more concerned with both the adverse effects on the asset itself and on the principal and secondary consequences for the surrounding system environment. At any rate, this analysis type is mostly focused on the possibilities of mitigating such risks and improving the security capacity and performance rating of a given network or computer system in order to better manage future incidents.

The vulnerability test is performed by an automated tools(Eg: joomla vulnerability scanner). These tools identify the vulnerabilities and give tips for mitigate or patching . But these tools are limited to common and known vulnerabilities. Vulnerability assessment can be done by inside professionals (i.e. network administrators), but is usually outsourced to Managed Security Service Providers (MSSP).