External Vulnerability Assessment (EVA)

External Vulnerability Assessment / Penetration Testing (EVA/PT)


The purpose of this type of assessment is to identify potential network and host oriented vulnerabilities that can be exploited externally. Vulnerabilities of this nature typically involve operating systems, services, and applications. Following the CastleGarde assessment methodology, an External Vulnerability Assessment and Penetration Testing (EVA/PT) is performed in four phases.

Following the CastleGarde assessment methodology, an External Vulnerability Assessment and Penetration Testing (EVA/PT) is performed in four stages:

1

Passive Information
Gathering

2

Active
Testing

3

Evaluation, Exploitation, and
Validation

4

Reporting

External Vulnerability Assessment Phases

1

Passive Information Gathering

This portion of the assessment entails engineers gathering information about the credit union that is publicly available and using applications that identify all devices within the scope of the IP ranges provided by the client.

2

Active Testing

Technical Testing using a myriad of industry-proven penetration testing tools to scan every device on the client’s network for known or possible vulnerabilities.

3

Evaluation, Exploitation, and Validation

During this part of the assessment, engineers actively validate each and every tested result discovered from the previous steps of the assessment, per the client’s management approval. Engineers also attempt penetration activities on all network devices with the goal of obtaining unauthorized application, device, and/or network entry, and the unauthorized discovery of Sensitive Member Information.

4

Reporting

This part of the assessment is where engineers gather and organize the testing results which include assessment findings and recommendations based on regulations, policies, standards, procedures, and industry best practice guidelines. In this final phase, the assessment team is able to determine the organization’s security risk profile. The ensuing report provides management with the tools it needs to make accurate decisions with respect to the acceptance, avoidance, or assignment of risks identified.