There are following categories of security Assessments:
- Vulnerability Assessment
- Penetration Test
- White/Grey/Black-Box Assessment
- Risk Assessment
- Threat Assessment
- Vulnerability assessment, is also known as Vulnerability analysis.
- It is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure.
- It is used by network administrators to evaluate the security architecture and defense of a network against possible vulnerabilities and threats.
- The key objective of this assessment is to find any vulnerabilities that can compromise the overall security, privacy and operations of the network.
2. Penetration Test Assessment:
- Penetration tests attempt to exploit the vulnerabilities in a system to determine whether unauthorized access or other malicious activity is possible and identify which flaws pose a threat to the application.
- Penetration tests find exploitable flaws and measure the severity of each.
- A penetration test is meant to show how damaging a flaw could be in a real attack rather than find every flaw in a system.
- Together, penetration testing and vulnerability assessment tools provide a detailed picture of the flaws that exist in an application and the risks associated with those flaws.
- The white/grey/black assessment parlance is used to indicate how much internal information a tester will get to know or use during a given technical assessment.
- The levels map light to internal transparency, so a white-box assessment is where the tester has full access to all internal information available, such as network diagrams, source code, etc.
- A grey-box assessment is the next level of opacity down from white, meaning that the tester has some information but not all.
- In Black box assessment ,the tester has zero internal knowledge about the environment, i.e. it’s performed from the attacker perspective.
- Risk assessment is the determination of quantitative or qualitative estimate of risk related to a well-defined situation and a recognized threat (also called hazard).
- Quantitative risk assessment requires calculations of two components of risk (R): the magnitude of the potential loss (L), and the probability (p) that the loss will occur.
- Risk Assessments commonly involve the rating of risks in two dimensions: probability, and impact, and both quantitative and qualitative models are used.
- A threat assessment is a type of security review that’s somewhat different than the others mentioned.
- The primary focus of a threat assessment is to determine whether a threat (think bomb threat or violence threat) that was made, or that was detected some other way, is credible.