When identifying vulnerabilities one should focus on three areas:
- people,
- technology,
- processes.
The whole game is to define, identify and classify potential points of compromise.
One of the most common way to validate results of Vulnerability Assessment is to run Penetration Tests. Following are the most popular areas where Penetration Testing is conducted:
- network vulnerabilities (misconfiguration or poor architecture)
- physical access
- applications and web-facing services (one of the most common attack vector)
- utilities (rely on controlled environmental conditions)
- supply chain
- equipment
- cloud computing
- big data
Remember that Penetration Tests may include:
Penetration tests may include:
- networks and applications (only 1/3 of vulnerabilities within enterprise!)
- people
- processes
- physical access
- wireless
- third parties
The easiest way is to use automated Vulnerability Assessment – e.g. software solution. Another level is to run Penetration Testing. Both of them however, should be accompanied with potential Root Cause Analysis (e.g. pre-mortem analysis).
M.