Categories of security assessments

There are following categories of security Assessments:

  1. Vulnerability Assessment
  2. Penetration Test
  3. White/Grey/Black-Box Assessment
  4. Risk Assessment
  5. Threat Assessment

1.Vulnerability Assessment:

  • Vulnerability assessment, is also known as Vulnerability analysis.
  • It is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure.
  • It is used by network administrators to evaluate the security architecture and defense of a network against possible vulnerabilities and threats.
  • The key objective of this assessment is to find any vulnerabilities that can compromise the overall security, privacy and operations of the network.

2. Penetration Test Assessment:

  • Penetration tests attempt to exploit the vulnerabilities in a system to determine whether unauthorized access or other malicious activity is possible and identify which flaws pose a threat to the application.
  • Penetration tests find exploitable flaws and measure the severity of each.
  • A penetration test is meant to show how damaging a flaw could be in a real attack rather than find every flaw in a system.
  • Together, penetration testing and vulnerability assessment tools provide a detailed picture of the flaws that exist in an application and the risks associated with those flaws.

3.White/Grey/Black-Box Assessment:

  • The white/grey/black assessment parlance is used to indicate how much internal information a tester will get to know or use during a given technical assessment.
  • The levels map light to internal transparency, so a white-box assessment is where the tester has full access to all internal information available, such as network diagrams, source code, etc.
  • A grey-box assessment is the next level of opacity down from white, meaning that the tester has some information but not all.
  • In Black box assessment ,the tester has zero internal knowledge about the environment, i.e. it’s performed from the attacker perspective.

4.Risk Assessment:

  • Risk assessment is the determination of quantitative or qualitative estimate of risk related to a well-defined situation and a recognized threat (also called hazard).
  • Quantitative risk assessment requires calculations of two components of risk (R): the magnitude of the potential loss (L), and the probability (p) that the loss will occur.
  • Risk Assessments commonly involve the rating of risks in two dimensions: probability, and impact, and both quantitative and qualitative models are used.

5.Threat Assessment:

  • A threat assessment is a type of security review that’s somewhat different than the others mentioned.
  • The primary focus of a threat assessment is to determine whether a threat (think bomb threat or violence threat) that was made, or that was detected some other way, is credible.