Vulnerability Assessment

 

Vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. It is designed to yield a prioritized list of vulnerabilities with remediation strategies which should be further developed in order to address the issues.

Who needs a vulnerability assessment

In most of the cases we use vulnerability assessment when we suspect issues in security of our systems and we need to find vulnerabilities and address them based on priority. So practically we already suspect we have issues and we need help identifying and prioritizing them. Based on our experience so far, organizations are making such kind of assessment very rarely – once or twice an year.

Sometimes we are conducting vulnerability assessment to forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.

Very rarely we see vulnerability management systems that are working in real-time and identifying issues (let us idealize it) instantly.

So who needs a vulnerability assessment, I would say everybody, but let’s be more tangible:

–        Organizations that use IT to support their core business or IT is their core business;

–        Organizations for which a potential security bridge could have significant negative impact;

–        Everybody who does not pay day-to-day attention to its security systems, security sites, new vulnerabilities and etc. ;

–        Everybody who is implementing a security redesign or new solution and want to justify it with tangible results.

What exactly is a vulnerability assessment

Depending on the type of vulnerability assessment there are some specifics but in general the vulnerability is composed of the following steps:

1)     Identify systems to be tested;

In most of the cases we scan all public IP address of the client for potential vulnerabilities.

2)     Scan systems as thorough as possible with vulnerability scan tool;

There are many different kinds of vulnerability tools. We have a lot of tools in our toolkit and use the appropriate one depending on the goal, client and etc.  Sometimes we use even more than one tool for better result.

3)     Elaborate report

All scanning tools are producing some kind of a report with a list of prioritized vulnerabilities. It is very important to analyze the report, vulnerabilities and especially priorities. When we use more than one tool we combine the results as well.

Practically this is the step where we connect the dots – the report, the knowhow we have, knowledge about customer system, knowledge about customer priorities, local specifics.

4)     Report discussion

We present the report to the client and organize a workshop if needed for further “tuning”.

What are the deliverables

Very detailed, tailor made for specific client and needs report with list of all vulnerabilities found, their priorities and general guidelines for remediation.

What kind of vulnerability assessments there are

There are a few different types of vulnerability assessments.

Internal / External

Most of the assessments are done from internet (outside the organizations), however most security breaches are caused by those with access to internal networks, including staff, former employees, consultants, vendors and customers.

With Knowledge / Without Knowledge

We could have use the terms white-box/black-box but this won’t be completely accurate because they refer to penetration testing, nevertheless we will use them as a well-known terms with the clarification we have made.

When we know the infrastructure, the design, the code of application (white-box) we could focus our assessment better and in most of the cases achieve better results.

When we are working blind (black-box), we are scanning and trying to understand the system without knowing anything about it. When we speak about vulnerability analysis black-box is not very common approach because our goal is to find as much vulnerabilities as we can.

With Remediation / Without Remediation

In addition, vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.

How often a vulnerability assessment should be executed!?

Fortunate or not the answer is trivial – as often as possible.  There are systems that are aiming to perform real-time vulnerability assessment, applying virtual patches and etc.

We advise our clients to do vulnerability assessment twice per year.