Internal Network Configuration and Vulnerability Assessment (CAVA)

Exposing Weaknesses in Your Environment with Authorized Access

An Internal Configuration and Vulnerability Assessment (CAVA) is a hands-on, privileged security inspection consisting of two components. First, we look at the configuration of systems to evaluate the strengths and weaknesses of your information system’s design and technical / operational controls. Then we run a vulnerability scan on your internal network to identify vulnerabilities that are specific to your system and devices. We use the credentials of domain administrators, which allows us to look at things like domain registries and patches.

Through the Assessment, we will:

  • Document your global network security settings and configurations.
  • Document the relative strengths and weaknesses of your current technical and operational controls.
  • Assign compliance ratings of system configuration and settings in accordance with industry standard and regulatory best practices, including FFIEC, NCUA, and CMS guidelines, the National Security Agency Gold Standard, National Institute of Standards and Technology guidance, ISO 27002 standards, and relevant vendor recommendations.
  • Identify system/device-specific vulnerabilities using the Department of Homeland Security Common Vulnerabilities and Exposures (CVE) database.
  • Provide specific, detailed remediation recommendations.

The Sage Methodology

Data Collection

A Sage Data Security expert will meet you onsite at your location to perform data collection in person. We conduct the configuration review using automated and manual open source, commercial and proprietary tools, interviews, and observation techniques. Administrative credentials are required to perform the Configuration Assessment.

We conduct the Vulnerability Assessment using a licensed commercial vulnerability scanner that supports a wide range of network devices, operating systems, databases, and applications. While administrative credentials are optional for the vulnerability scans, we encourage using them to scan Microsoft Windows environments because the results will be more accurate, and will better expose the system’s vulnerabilities.

Data Analysis

Sage experts perform the Data Analysis Phase of the Assessment offsite by reviewing the data we’ve collected. In the Configuration Assessment Analysis, we compare each system and assign compliance ratings in accordance with industry standard and regulatory best practices. In the Vulnerability Assessment Analysis, we review the results of the vulnerability scans to ensure that the most relevant information is included in a clear and concise manner.

Reviewing our Findings

Once we have analyzed the data, we will schedule a meeting with you, generally via WebEx, to review the results with you step by step.

Reports and Recommendations

The Internal Configuration and Vulnerability Assessment (CAVA) report includes:

  • A summary of the findings presented in an executive report in PDF.
  • A corresponding interactive HTML report providing the details for each of the Assessment categories, as well as the device-specific vulnerabilities.
  • An action plan in Microsoft Word detailing our recommended remediation activities.

No one is immune to cyber-attacks