This blog was written by a third party author
What is a vulnerability assessment?
Vulnerability assessment is the process of defining, identifying, classifying, and prioritizing vulnerabilities in systems, applications, and networks. It provides an organization with the needed visibility into the risks that exist concerning external threats designed to take advantage of vulnerabilities. At a tactical level, the vulnerability assessment process can help organizations identify potential methods of unauthorized access by which threats can gain entry to the organization’s network. Assessments (and fixes based on the results) need to be performed before the vulnerabilities found can be exploited.
Every organization faces the risk of cyberattacks—regardless of organization size—so it’s beneficial to perform some form of vulnerability assessment regularly. Larger enterprises and those organizations experiencing ongoing attacks may benefit most. Assessments can be performed by internal IT security teams or outsourced to third parties that focus on security services.
4 steps to a vulnerability assessment
Assessing the current state of vulnerabilities is a bit more involved than installing vulnerability scanner software and hitting the “Scan” button. Vulnerability assessments are the foundational element of your organization when putting proper security controls in place. It requires some proper planning, prioritizing, and reporting. The process of performing a vulnerability assessment can be broken down into the following 4 high-level steps.
Step 1: Initial assessment
The goal here is to understand the importance of devices on your network and the risk associated with each. Risk can be determined using several factors, including but not limited to:
- Whether a given device is accessible to the internet (whether via internal or external IP addresses)
- Whether the device is publicly accessible to anyone (such as a kiosk machine)
- Whether a device’s users have low-level or elevated permissions (such as administrators)
- The device’s role in business processes
The determined risk can be used to prioritize the remainder of the assessment and establish the proper order for the vulnerability assessment scans. It can also be used as input for a business impact analysis that is a part of an enterprise risk management initiative.
Step 2: Define a system baseline
For each given device to be assessed for vulnerabilities, it’s necessary to understand whether its configuration meets basic security best practices. Some of the configuration factors that should be a part of a baseline include:
- Operating system (OS), version, and service pack or build, if applicable
- Approved software
- Installed services and required ports
- Any unnecessary open ports
- Any special security configuration, if applicable
Approach each device as if you were an malicious actor; when you perform a scan in the next step, you want to see what an internal or external threat actor can access, and be able to compare that against known vulnerabilities and insecure configurations so you can interpret the results of the scan properly. In addition to the configuration factors, gathering up any additional detail known about the system (such as log data pushed into a SIEM solution), and any already-known vulnerabilities for the specific OS and version, any installed applications or any enabled services, will be useful.
Step 3: Perform a vulnerability scan
There are a few options available when it comes to vulnerability scans. Each one provides a bit of different context to the results. In general, vulnerability scans are performed either via unauthenticated or authenticated means. In an unauthenticated scan, a system is assessed from the network perimeter, looking for open ports and testing for the use of exploits and attacks. An authenticated scan will perform a credentialed scan of the operating system and applications looking for misconfigurations and missing patches that can be taken advantage of by threat actors, such as weak passwords, application vulnerabilities and malware.
Part of the vulnerability assessment is purely done from the perspective of having a good security posture. But, organizations in regulated industries or those subject to specific compliance laws need to consider scanning to provide that security-specific mandates are met. For example, businesses accepting credit cards need to confirm that they meet requirements found in section 11.2 of the Payment Card Industry Data Security Standard (PCI DSS). Likewise, those businesses subject to regulations like Health Insurance Portability and Accountability Act (HIPAA), The General Data Protection Regulation (GDPR), and others should look to perform scans that confirm adherence to compliance regulations.
Step 4: Vulnerability assessment report creation
Reporting is critical because it outlines the results of the scan, the risk and importance of the devices and systems scanned, and the next steps that should be taken. It’s been said that a report is only as valuable as the actions taken because of it, so it’s important that vulnerability assessment reporting be actionable.
Reporting should include pertinent details that can be used to respond to found vulnerabilities, including:
- Vulnerability discovered
- The date of discovery
- Common Vulnerabilities and Exposure (CVE) database reference and score; those vulnerabilities found with a medium or high CVE score should be addressed immediately
- A list of systems and devices found vulnerable
- Detailed steps to correct the vulnerability, which can include patching and/or reconfiguration of operating systems or applications
- Mitigation steps (like putting automatic OS updates in place) to keep the same type of issue from happening again
Reporting provides an organization with a full understanding of their current security posture and what work is necessary to both fix the potential threat and to mitigate the same source of vulnerabilities in the future.