With the Vulnerability Assessment (VA) service we will conduct a security analysis of your IT infrastructure to identify known potential vulnerabilities and provide remedial measures to mitigate the risks arising from them. VA is performed by means of professional automated tools that, through the application of a multitude of controls, detect the type of service, its configuration and therefore the possible vulnerability in the system. This activity will bring to light the problems listed below (by way of non- exhaustive example):
• Unsecurely configured services;
• Obsolete vulnerable applications;
• Obsolete operating systems.
VA is of fundamental importance for the Risk Assessment process as it allows to define the priorities of remedial actions of an intervention plan to enhance and raise the level of security of its IT infrastructure. It is necessary to carry out this activity periodically during the year in order to verify if your IT infrastructure maintains an adequate level of security considering that technologies are constantly evolving. The VA essentially photographs the security status of the infrastructure as it is carried out.
A Penetration Test (PT) consists of simulating a cyber-attack to assess the adequacy of the technical and organizational security measures implemented by your organization. In fact, unlike what happens with a Vulnerability Assessment, the tester not only detects any vulnerabilities present but will continue with the subsequent phases of a real cyber-attack according to the objectives we establish with you. It is possible to perform the test in both the “internal penetration test” and “external penetration test” modes. In an internal penetration test, the tester is given access to the organization’s network and a domain account to simulate an attacker who has managed to breach your perimeter security measures. The goal of this mode is to test the resilience of the IT infrastructure and the ability to escalate privileges within the corporate domain to exfiltrate business-critical data. An external penetration test, instead, simulates a real IT attack as the tester’s goal is to break into your organization’s IT infrastructure from exposed services. It is possible to perform the external penetration test in the white-box, grey-box, and black-box methodologies, which differ in the amount of information provided to the tester and the organization’s staff.
Both activities involve writing and sharing two different reports that will be provided at the end of the activity the:
• Executive Summary: a short report, with non-technical indications useful to understand the risks to which the IT infrastructure is exposed; and the
• Technical Report: an extended report for the organisation’s technical staff. The objective of the report is to express, in a complete and clear way, the criticalities identified as well as to provide information on how to resolve identified problems.