TA vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems. Such assessments may be conducted on behalf of a range of different organizations, from small businesses up to large regional infrastructures. Vulnerability from the perspective of disaster management means assessing the threats from potential hazards to the population and to infrastructure. It may be conducted in the political, social, economic or environmental fields.
Vulnerability assessment has many things in common with risk assessment. Assessments are typically performed according to the following steps:
1. Cataloging assets and capabilities (resources) in a system.
2. Assigning quantifiable value (or at least rank order) and importance to those resources
3. Identifying the vulnerabilities or potential threats to each resource
4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
"Classical risk analysis is principally concerned with investigating the risks surrounding a plant (or some other object), its design and operations. Such analysis tend to focus on causes and the direct consequences for the studied object. Vulnerability analysis, on the other hand, focus both on consequences for the object itself and on primary and secondary consequences for the surrounding environment. It also concerns itself with the possibilities of reducing such consequences and of improving the capacity to manage future incidents." (Lövkvist-Andersen, et al., 2004) In general, a vulnerability analysis serves to "categorize key assets and drive the risk management process." (United States Department of Energy, 2002)
The GSA (also known as the General Services Administration) has standardized the “Risk and Vulnerability Assessments (RVA)” service as a pre-vetted support service, to rapidly conduct assessments of threats and vulnerabilities, determine deviations from acceptable configurations, enterprise or local policy, assess the level of risk, and develop and/or recommends appropriate mitigation countermeasures in operational and non-operational situations. This standardized service offers the following pre-vetted support services:
These services are commonly referred to as Highly Adaptive Cybersecurity Services (HACS) and are listed at the US GSA Advantage website
This effort has identified key service providers which have been technically reviewed and vetted to provide these advanced services. This GSA service is intended to improve the rapid ordering and deployment of these services, reduce US government contract duplication, and to protect and support the US infrastructure in a more timely and efficient manner.
132-45D Risk and Vulnerability Assessment identifies, quantifies, and prioritizes the risks and vulnerabilities in a system. A risk assessment identifies recognized threats and threat actors and the probability that these factors will result in an exposure or loss. With a combined assessment, you’ll gain a thorough understanding of the vulnerabilities & threats that exist in your environment and the likelihood that they will be exploited and impact your organization.
This process typically includes:
Predefined tests are designed to illustrate common vulnerability issues that may be encountered in database environments. Because of the highly variable nature of database applications and the differences in what is deemed acceptable in various companies or situations, some of these tests may be suitable for certain databases but totally inappropriate for others (even within the same company). Most of the predefined tests are customizable to meet requirement of your organization. Additionally, to keep your assessments current with industry best practices and protect against newly discovered vulnerabilities, Guardium distributes new assessment tests and updates on a quarterly basis as part of its Database Protection Subscription Service. Please refer to Guardium Administration Guide for more details.
Predefined Tests include:
This set of tests assesses the security health of the database environment by observing database traffic in real-time and discovering vulnerabilities in the way information is being access and manipulated.
As an example, some of the behavioral vulnerability tests included are:
This set of assessments checks security-related configuration settings of target databases, looking for common mistakes or flaws in configuration create vulnerabilities.
As an example, the current categories, with some high-level tests, for configuration vulnerabilities include:
A query based tests is either a pre-defined or user-defined test that can be quickly and easy created by defining or modifying a SQL query, which will be run against database datasource and results compared to a predefined test value. See Define a Query-based Test for additional information on building a user defined query-based test.
A CAS-based test is either a pre-defined or user-defined test that is based on a CAS template item of type OS Script command and uses CAS collected data.
Users can specify which template item and test against the content of the CAS results. See Create a New Template Set Item for assistance on creating an OS Script type CAS template.
Guardium also comes pre-configured with some CAS template items of type OS Script that can be used for creating a CAS-based test. These tests can be see through the CAS Template Set Definition panel and have a name which contains the word 'Assessment'. For instance, the Unix/Oracle set for assessments is named 'Guardium Unix/Oracle Assessment'. Additionally, any template that is added that involves file permissions will also be used for permission and ownership checking. See Modify a Template Set Item for viewing these template sets and seeing those items with type OS Script.
Whether using a Guardium pre-configured or defining your own, once defined, these tests will appear for selection during the creation or modification of CAS-based tests. See Define a CAS-based Test for additional information.
Guardium constantly monitors the common vulnerabilities and exposures (CVE) from the MITRE Corporation and add these tests for the relevant database related vulnerabilities.