Remote Vulnerability Assessment

Service Description

The MOREnet Remote Vulnerability Assessment Service is a study of your organization's publicly visible Internet presence. The assessment, performed over the Internet, looks for signs of vulnerabilities that could pose a risk if not addressed. Essentially, MOREnet's Security staff provides a "hacker's" view of your public network, allowing you to exercise due diligence in planning and to secure it against current threats.

MOREnet's Remote Vulnerability Assessment staff includes two Certified Information System Security Professionals (CISSP). All staff members are veterans of SANS and USENIX Security and are full-time members of MOREnet's event response team. Each staff member is well-seasoned in working with current security tools, attacks, trends and best practices.

Since new vulnerabilities are discovered on a daily basis, MOREnet's Security Team researches and reviews new security tools and methodologies that can be used to collect data on customer networks. The data gathered is used to provide customers with a clear, non-biased view of the current status of the network upon which to base a risk assessment.

Based on the results of the vulnerability assessment, the MOREnet Security Team creates a report of the findings with recommendations for actions that the site should take to remedy or mitigate vulnerabilities discovered during the review. The tests generally take a week. Testing time may increase if customers have large networks, firewalls, traffic filters or local network conditions that prevent prompt responses to the tests. We typically produce a report within two weeks of test completion. MOREnet Security securely deletes its own copy of any final report, following Department of Defense standards.

This service does not include:

• An exhaustive search for forbidden file types,
• Compliance with the customer's own internal policies,
• Penetration testing (beyond verification of assessment results),
• Web space content issues,
• Password cracking,
• Social engineering,
• Virus risk assessment,
• Private network assessment,
• Patch management or
• Assessment of unavailable devices.

Since the assessment process can only evaluate devices that are currently online, it is important to participate in the process at regular intervals. Your participation will ensure that new devices, including those that were offline previously, are assessed.

CISSP

MOREnet Security includes two Certified Information Systems Security Professionals (CISSP) on staff. As a result, MOREnet vulnerability assessments are conducted in accord with the ISC2 code of ethics (https://www.isc2.org/cgi/content.cgi?page=31).

Assessment Goals

Within the limitations of remote assessment, MOREnet Security currently works toward the goals of the Open Source Security Testing Methodology Manual (http://www.isecom.org/projects/osstmm.htm) as an open source methodology. MOREnet will continue to research, improve and expand its goals and methodology in order to improve the quality of assessments.

Eligibility

All MOREnet customers can obtain this for-fee service.

Limits of Liability

MOREnet accepts no liability or responsibility resulting from the work performed in association with this service. As a part of the request process for this service, customers will be required to sign a contract releasing MOREnet from any and all responsibility and liability that may arise in connection with this service.

Disclaimer

The MOREnet Security Vulnerability Assessment Service is one important component of an organization's overall security program. Use of this service does not guarantee network security or prevent security incidents but provides administrators with a valuable tool in assessing the vulnerability of their networks to common exploits and misconfigurations.