Back to all methods

Vulnerability Scanning and Analysis


This component has the auditor discover possible flaws the organization's devices, services, application designs, and networks by testing and comparing them against a variety of online and offline resources (vulnerability databases, vendor advisories, and auditor investigation) to identify known vulnerabilities. Basic vulnerability analysis should be occurring along-side the other activities so that evidence can be gathered from the network, however, deeper research into specific discovered exploits can happen after the on-site audit to fully take advantage of the short time the auditor has on site.


It is not uncommon for a cash-strapped human rights NGO to run critical infrastructure themselves on available equipment. A better-resourced organization may host its critical services at a remote data center, or outsource its IT infrastructure to cloud providers, such as Google Apps, and/or to ad-hoc services (Dropbox, Yahoo! mail, Wordpress, etc.). Regardless, it is rare to have someone designated to update and patch systems as vulnerabilities are released, or to view the services from a security -- as opposed to availability -- standpoint.

Guiding Questions

    • What level of proof do you need to identify to convey the importance (or importance) of a vulnerability to the organization?
    • What would the organization and IT think is an appropriate amount of the IT staffs time that you can request to get the information you need?

Operational Security

  • Treat the data and analyses of this step with the utmost security.
  • Use VPNs or Tor to search if scanning remotely.
  • Seek explicit permission for vulnerability scanning - NOTE: The organization might not be in a position to give you meaningful “permission” to carry out an active remote assessment of "cloud services" used within the organization.
  • In situations where the auditor is doing this work remotely it is important to only run "safe" tests that have no possibility of causing damage to the network.


    Baseline Skills

    • Vulnerability Scanning: : General TCP/IP and networking knowledge; knowledge of ports, protocols, services, and vulnerabilities for a variety of operating systems; ability to use automated vulnerability scanning tools and interpret/analyze the results
    • Penetration Testing: Extensive TCP/IP, networking, and OS knowledge; advanced knowledge of network and system vulnerabilities and exploits; knowledge of techniques to evade security detection


    • Lists of OVAL/CVE identifiers for each possibly vulnerable service/system.
    • Examples of live exploits for vulnerabilities where possible.
    • A short write up of each vulnerability including how it was identified.
    • The cleaned up output from any tests used to identify the vulnerability.
    • Document Vulnerabilities (per vulnerability)

      • Write Up

        • Summary - A short (two to three sentence) basic overview of the vulnerability, including a discussion of potential impacts.
        • Description - An in-depth (one to three paragraph) overview of the vulnerability.
        • Approach - Step-by-step explanation of the methodology used that is tool agnostic.
        • Proof - The cleaned up output from tests run to identify the vulnerability.