If there’s a universal imperative when it comes to solving problems and mitigating vulnerabilities, it’s to analyze them first before you try to fix them. The more complex they are, the more critically important this assessment step becomes.
As defined by the US National Institute of Standards and Technology (NIST), a vulnerability is “a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.”
A vulnerability assessment refers to the process of defining, identifying, classifying, and prioritizing vulnerabilities that are specific to computer systems, applications, digital assets, and network infrastructures.
With an effective vulnerability assessment program, the organization has the tools needed to understand its security weaknesses, assess the risks associated with those weaknesses, and put protections in place that reduce the likelihood of a breach. Conducted on a regular basis, vulnerability assessments help ensure the security of networks, particularly when changes have been made such as adding new services, installing new equipment, opening new ports, moving to the cloud. Each vulnerability assessment provides the organization with information about weaknesses in its environment, offers fresh insights into degrees of risk, and suggests ways to best mitigate the risks associated with those weaknesses and evolving threats.
For most organizations, keeping devices, networks, and digital assets safe is all part of a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment, key processes, and mitigation actions that cover the entire threat landscape. Scanning is an essential part of the vulnerability assessment process.
Types of vulnerability assessments
- Network-based scans, to identify possible network security attacks and vulnerable systems on wired or wireless networks
- Host-based scans, to locate and identify vulnerabilities in servers, workstations, or other network hosts, and provide greater visibility into the configuration settings and patch history of scanned systems
- Wireless scans of an organization’s Wi-Fi network, to identify rogue access points and also validate that a company’s network is securely configured
- Application scans, to test websites in order to detect known software vulnerabilities and erroneous configurations in network or web applications
- Database scans, to identify the weak points in a database so as to prevent malicious attacks
Vulnerability scans vs. penetration tests
A vulnerability scan looks for known vulnerabilities in your systems and reports potential exposures. A penetration test is designed to actually exploit weaknesses in the architecture of your systems. Where a vulnerability scan can be automated, a penetration test requires various levels of expertise, e.g., a system engineer “thinking like a hacker.”
Risk assessment steps
To comprehensively assess your breach risk internally across all attack vectors, and also understand external threat risk, you need to take a proactive approach to breach avoidance by putting the right tools in place. How a risk assessment is conducted varies widely depending on the risks unique to the type of business, the industry that business is in, and the compliance rules applied to a given business or industry. However, there are five general steps that companies can follow:
- Identify the hazards
- Determine what or who could be harmed
- Evaluate the risks and develop control measures
- Record the findings
- Review and update the risk assessment regularly
Focusing on what matters most
Since the endgame is controlling overall risk to the organization, vulnerability assessment cannot be a standalone effort but instead represents that essential cog in what you hope will be a formidable risk-based vulnerability management machine.
Here are some key considerations:
- Instead of just deploying a vulnerability assessment program, think in terms of the overall threat landscape and the ever-evolving risks that could impact your organization.
- Rather than relying solely on severity ratings to prioritize vulnerabilities, use a holistic approach that combines:
- Risk ratings
- Organizational context
- Threat intelligence
- Asset demographics
- Choose assessment tools that help you assess the impact, criticality, and prioritization of vulnerabilities while taking into account your organization and its intersection with the global threat ecosystem
- Aim for cyber-resilience, which is the ability of your enterprise to limit the number security events and lessen their impacts
- Remember that vulnerabilities are just a collection of problems or weaknesses that need to be analyzed and assessed, understood and corrected before they can be exploited by adversaries
Although somewhat challenging, vulnerability assessments are well worth the cost and the effort. When implemented correctly, they inform your overall vulnerability management program, making your organization not only safer, but increasingly cyber-resilient over time.