A vulnerability analysis is an essential part of the security process. With this analysis, services and technologies can be examined for already known vulnerabilities. The aim is to provide users with a simple user interface to continuously check their systems
The scope of such an analysis is the safety inspection of sensitive systems. Due to their accessibility from the Internet, they are the main target of hackers, worms and user errors. The aim is to evaluate the systems, provide a comprehensive overview of the security status and provide recommendations for optimizing security.
Risks are assessed on the basis of CVE valuations. This rating should be seen as a guideline. Whether the impairment is relevant for the company depends on the intended use of the audited system. The scan is never fully aware of the intended use and weighting of a system. It can be necessary to evaluate the identified risks differently internally.
For example, Denial-of-Service attacks are generally classified as "medium" risk because the potential business damage is unknown. Denial-of-Service attacks against routers are an exception, as it is assumed that their failure will affect the entire network infrastructure.
Four different risk levels are distinguished. It is possible that vulnerabilities, which are clearly assigned to a risk level on the basis of their description, are nevertheless classified differently. For instance, if the combination of vulnerabilities results in a higher or lower risk, or if a vulnerability for a particular system needs to be considered more critically.
An additional risk class is "information". It shows a way to improve the current configuration of the system in order to prevent possible future attacks.