The Assessment Of A Vulnerability Assessment

1432 Words6 Pages
Statement of Work Vulnerability Assessment The objective of a vulnerability assessment is to validate host configurations and produce a list of known vulnerabilities existing on in-scope systems. The testing is limited to relatively safe checks designed to limit any negative impact in risk-averse environments. Pre-Engagement A critical component of this security engagement is to clearly establish and agree to the rules of engagement. During our initial scheduling and kick-off sessions, the rules of engagement for the testing will be established. Topics to be covered will include: • Goals and objectives for the testing • Definition of scope, validation of targets • Testing timelines and schedules • Rules of engagement, levels of effort and…show more content…
This is a safety measure and will ensure the accuracy of subsequent findings. The consultant may perform such activities as: • Ping sweeps, port scans and route tracing • Foot printing of networks and systems • Internet domain name registration searches • Internet registry number searches • Domain name service (DNS) lookups Vulnerability Assessment Step II: Network Discovery The consultant will validate targets in the discovery IP address range listed in the scope. The consultant may perform this step to attempt to identify live hosts for future testing efforts. The consultant may perform such activities as: • Scanning a range of IP addresses to identify top TCP ports in use • Identifying certain applications and potential version information through banner grabbing • Assembling a list of potential targets for further testing After the scan, The consultant will deliver the list of live hosts with the top ports in use, suitable for inclusion into the final report. Vulnerability Assessment Step II: Enumeration and Vulnerability Mapping Enumeration involves actively trying to identify services running, applications used, version numbers, service banners, etc. Testing in this phase generally is at a more noticeable level of activity, which might reveal that the consultant is performing types of
Open Document