Many AssetSec users ask similar questions. Here we have summarized these questions and explain how everything works.
The direct meaning is: "...the point at which something is vulnerable or attackable." In terms of IT, a vulnerability exists when an application can be exploited under certain conditions, e.g. to execute malicious code, to obtain extended rights or to render the application inoperable.During the development of the application, scenarios may occur that have not been considered.
Vulnerability management provides an overview of the security status of your IT systems. It automatically searches for vulnerabilities in the applications used and lists them. The vulnerabilities are evaluated, followed by a recommendation in which order and how these individual vulnerabilities can be eliminated. Recommendations range from updates to configuration adjustments.
The combination of vulnerability management and patch management has established itself in the IT security market. Patch management can be controlled by vendor-independent vulnerability analysis. Have the updates arrived on all systems? What is the tendency of the identified vulnerabilities? In the past, there was already malware that disguised itself as a Windows update.
The main difference between penetration testing and vulnerability management is the area to be analyzed. After successfully exploiting a vulnerability, the penetration test is complete. This is carried out by IT security consultants and aims to find a possible way to compromise a system. In contrast to vulnerability management, the goal is to analyze as many systems as possible. In addition, a vulnerability analysis can be performed automatically, thus optimizing the time required for a continuous security process.
AssetSec uses a commercial feed to obtain the latest vulnerability tests. If new vulnerabilities become known, a test is defined to identify the vulnerability. In the next scan, the test is automatically considered and used to analyze your systems.
The feed is updated daily with new vulnerability tests.
In addition to the personal data for the account, AssetSec stores the vulnerabilities found for each IP address. The relationships between vulnerabilities and IP addresses are encrypted.
AssetSec temporarily stores data in the Level 3 data center in Düsseldorf. In addition, resources are stored in Microsoft Azure (Amsterdam). (From 2020, the German Microsoft data center will be used after completion.)
The password for the access data is stored securely according to the latest technical possibilities. In addition, the account can be protected by two-factor authentication. The relationship between vulnerability and IP address is encrypted.
The SIEVERS.io team is also a specialist in data protection for customer data in the cloud. Because we are certified according to ISO/IEC 27018:2014.
The ISO/IEC 27018:2014 is a code of practice for the protection of personal data in the cloud. It is based on the ISO/IEC 27002 standard for information security and provides implementation guidelines for ISO/IEC 27002 controls on Personally Identifiable Information (PII) in a public cloud. The standard provides additional controls and guidelines for the protection requirements of personal information in the public cloud.
Yes, after signing up in the AssetSec app a two-factor authentication can be activated. Currently Google Authenticator and FreeOTP are supported.