Many organizations believe that they are secure because they have a patch management process or have policies that require the application of Minimum Security Baselines on all production servers. It is important to realize that having a process is in place does not mean that it is truly effective. Vulnerability Assessments will identify known network, operating system, web application, and web server exploits/vulnerabilities with the use of automated scanning tools. Scans can give you an overall picture of the vulnerabilities present on your network and assist in vulnerability risk management.
SecureState offers three types of Vulnerability Assessment: scans with validation of the findings, scans without validation of
the findings, and PCI ASV scans. When validating the vulnerabilities
discovered, SecureState manually checks to make sure all discovered
vulnerabilities are truly present. This eliminates false positives and provides
an actionable list of vulnerabilities to remediate. SecureState recommends all
vulnerability scans include validation of the vulnerabilities, making it a true
assessment of your network.
SecureState scans your
organization’s IP address ranges to identify active devices. If a device
is online, the scanner makes note of the IP address and continues to look for
other active devices within range. We then perform a port scan to
determine what services are running on each active device. This helps the
scanner determine what types of vulnerability checks to run against a
Active IP addresses that were
identified as part of the Device Discovery phase are scanned with an industry
leading tool to identify vulnerabilities such as missing patches, server
misconfigurations, and dangerous services. The tool performs some
high level web application vulnerability scanning, but does not perform an
extensive scan on the application layer of any discovered web applications.
If in scope, SecureState manually
validates the vulnerabilities identified to remove false positives from
the list. This helps the organization focus their efforts on
vulnerabilities that are actually present in their environment, instead of
wasting time trying to remediate vulnerabilities that do not exist.