Vulnerability assessment or analysis (VA) is a way of defining, identifying, and classifying security issues or bugs in a computer system or network. This is typically performed using vulnerability scanners, which are capable of identifying device configurations including the type of OS they are running, open ports, and the applications that are installed on the target system.
With the help of vulnerability scanners, an IT professional can easily identify common misconfiguration flaws, accounts with weak or default passwords, unwanted or unused services, and files or directories with weak permissions.
Vulnerability scanners are also known to report false positives; that is, they may report a vulnerability that does not exist on the system being audited. Thus, the vulnerability assessment report is required to undergo a manual review and verification to remove any such false positives and then present the most accurate report to the stakeholders.
The accuracy and coverage of vulnerability assessment also depend on how the scan was performed, either authenticated or unauthenticated.
Vulnerability assessments are a key aspect of confirming that your vulnerability remediation program is effective or that you are comprehensively patching systems, both for the operating systems and the software that is running on them. It also includes mapping or cataloging the target network, which usually results in some rogue systems being found that are typically not being managed. A penetration test is a step after a vulnerability assessment. Once a network has been mapped and scanned for vulnerabilities, a penetration tester can probe selected vulnerabilities to see if they can be breached and they can gain unauthorized access to show a specific risk does exist.
Vulnerabilities are only one part of the equation in securing systems as part of a cybersecurity program, though. Having other effective controls in place like antivirus software, firewalls, access control lists, and secure coding can reduce the risk that a vulnerability may have on a system and enhance your security posture.
Having an independent third-party like Advanced Training assess your security posture with either of these methods gives you an attacker’s view of your system or network and allows you to see areas that may have been overlooked.
Vulnerability assessments can be very simple and straightforward, especially if they are low-cost. However, that low cost means you’re most likely getting the formatted output of vulnerability scanner software. While this does give you information you need, such as criticality and recommended fix actions, it doesn’t tell the whole story. Effective vulnerability assessments should involve validating the vulnerabilities because many times the scan will return false positives. This should be done during an assessment to make sure you understand the vulnerability and confirm that it does indeed exist. In assessments where there are many thousands of vulnerabilities, the focus should be on confirming the high impact vulnerability—critical and high rated vulnerabilities. During this process, our assessors work with your team to go over the weaknesses, point out those most likely to be exploited by an attacker and confirm that the vulnerability is there on the system.
An accurate inventory of software and hardware assets is a bedrock principal of securing your network. Our team of experienced assessors focus not just on the vulnerabilities, but also on assessing the risk that the vulnerabilities pose. Some vulnerabilities may be mitigated by other controls already in place. Other vulnerabilities, if corrected, may adversely impact a key system. Mitigating the risks vulnerabilities pose must be more involved than just clicking an “update” button. Our risk analysis looks at the balance between security and operability as defined by the owner. Not knowing about the vulnerability means you are accepting unknown risk – with the vulnerability assessment, you have defined your risk and understand what risk you have accepted, which can lead to mitigation through other applied controls. Despite the huge advances taking place in capabilities, especially with the cloud and the Internet of Things, the only real change is the increase in your security responsibilities. With the scrutiny that has been levied on firms like Google and Facebook over user privacy concerns and the handling of user information, these things are going to continue to stand out. Protecting user data, while a primary concern for businesses now, will continue to evolve with the introduction of more comprehensive privacy frameworks like General Data Protection Regulation (GDPR), and legislation aimed at protecting consumers. Organizations, mainly small and mid- sized companies, will have to comply with these frameworks while exercising the due care that is being established by the large companies to avoid legal repercussions.
Vulnerability assessments are just one tool in a comprehensive security program that is focused on risk. Any of the security frameworks that are available prescribe multiple controls to help ease the failure or lack of other controls. Tools are needed for most networks to help manage the workload required for vulnerability assessments. Having employees trained to utilize the tools can be difficult, considering other responsibilities.
It is important to do correct scoping for the penetration test and ensure that important assets are tested. The vulnerability assessor, along with the relevant stakeholders from the target organization, should review the organization’s asset list and categorize and prioritize the assets based on their criticality.
For instance, a public-facing website is a high-value target compared to an internal employee portal.
The assets can also be prioritized based on past security incidents that they might have been subject to.
Taking into consideration all such factors will result in a list not limited to the following:
• Web servers
• FTP servers
• Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) devices
• Remote access appliances like a VPN
• Communication links
• Public-facing websites
• Internal systems storing sensitive data (such as payroll systems)
These systems could be either physical or virtual. The assessment may be external or internal, black-box, grey-box, or white-box, and announced or unannounced.
This offer is ONLY for the IT Vulnerability Assessment (VA) component as described above. i.e. this offer does not include a security audit or penetration testing.
If you feel you require more services, please contact our sales staff.