Vulnerability Assessment and Penetration Testing Services

Vulnerability assessment (penetration testing) helps organizations assess:

• Vulnerabilities (security gaps) of the external computer network (perimeter) systems, the possibilities of their exploitation and the risks posed according to the black box methodology
• Vulnerability (security gaps) of applications and services, service configurations of web applications, the possibilities of their exploitation and the risks they pose
• Vulnerability (security gaps) of the internal computer network, information systems and computerized workplaces, as well as the wireless network, the possibilities of their exploitation and the risks posed according to the white box methodology
• Vulnerabilities (security gaps) of the software code, its architecture and its components, library modules, as well as the authentication control mechanism, access control, harmful input control, cryptography, data protection, possibilities of their exploitation and the risks posed

After vulnerabilities are identified, penetration testing is performed. Vulnerability assessment and penetration testing are performed using the Vulnerability and Penetration Testing methodology.

Considering the identified vulnerabilities (security gaps), the possibilities of exploiting them are evaluated and risks are posed according to the CVSSv3.1 methodology and provided detailed recommendations for removing vulnerabilities.

• We prepare the initial vulnerability assessment and penetration testing plan and schedule
• We collect publicly available information about the external network and perform automated scanning of ports and services to identify vulnerabilities
• After identifying vulnerabilities, we perform a manual assessment of these vulnerabilities (penetration testing)
• We perform automated scanning of web applications and services, services configurations, and assessment of established vulnerabilities (penetration testing)
• We perform automated and manual vulnerability assessment and penetration testing of the internal computer network, information systems and computerized workplaces, as well as the wireless network, both with and without user rights
• If necessary, we perform an audit (security assessment) of the software code, its architecture and its components, library modules, as well as the authentication mechanism, access control, malicious input control, cryptography, data protection
• We prepare a vulnerability assessment (penetration testing) report, where we describe the identified vulnerabilities (security gaps) in detail, provide evidence confirming their detection, determine the possibilities of their exploitation and assess the level of risk. In this report, for each vulnerability (security gap), we provide detailed recommendations to eliminate them

• The object (s) and scope of vulnerability assessment (penetration testing) have been determined and agreed upon
• Prepared plan and schedule. The schedule of external and internal testing is prepared in order not to disrupt the operations of the organization
• Collected information. Collected information from the organization’s external network and other publicly available sources
• Scanning and vulnerability assessment of external computer network (perimeter) systems was performed. Automated port scans were performed on the systems under test to determine the services they provide. After detection of vulnerabilities, a manual vulnerability scan will be performed according to the OWASP methodology
• Scanning of web applications and vulnerability assessment was performed. Identified services (services) were evaluated and existing vulnerabilities were identified
• Vulnerability assessment of the internal computer network, information systems and computerized workplaces and wireless network was performed
• Vulnerability assessment of the software code was performed
• Evaluated exploitation of vulnerabilities. Assessed security vulnerabilities that can be used to gain access to systems or data
• Assessed risks. Vulnerability risk assessment was performed using CVSSv3.1 methodology
• Prepared recommendations. Prepared detailed recommendations for the elimination of vulnerabilities

• Determined whether the organization’s external computer network (perimeter) is secure
• Determined whether the organization’s internal computer network, information systems and computerized workplaces and wireless network are secure
• Determined whether the software code of information systems, web applications and mobile applications are safe and can be deployed in production
• Identified not inefficient and non-complied IT and information security and cyber security management processes in the organization
• Prioritized actions to eliminate identified security gaps

• Vulnerability assessment services of Klaipėdos Energija, AB