There is no system, process, infrastructure, and environment that is 100% free from vulnerabilities. Those vulnerabilities are usually caused by design flaws, bugs bad implementation, lack of updates, and many other causes that attackers or malicious users can leverage in order to gain access to your system and/or cause disruption. As a result, it is crucial to perform vulnerability assessments on a regular basis to keep your infrastructure secure.
What is a vulnerability assessment?
A vulnerability assessment is an analysis of vulnerabilities in an IT system at a certain point in time, with the aim of identifying the system’s weaknesses before hackers can get hold of them.
There are two main ways to do it. The first is to use offensive techniques (such as penetration testing), and the second one is more like a defensive technique based on the identification of known vulnerabilities on your infrastructure by using vulnerability scanners such as Qualys, Tenable, etc.
Steps to conduct a vulnerability assessment
Each company has its own unique way in which to perform a vulnerability assessment; however, most of them are based on the following stages.
1. Asset discovery
First, you need to decide what you want to scan. One of the most common cyber security challenges facing organizations is a lack of visibility into their digital infrastructure and its connected devices. Some reasons for this include:
Mobile Devices: Smartphones, laptops, and similar devices are designed to disconnect and reconnect frequently from the office.
IoT Devices: IoT devices are part of the corporate infrastructure but may be connected primarily to mobile networks.
Cloud-Based Infrastructure: Cloud service providers make it easy to spin up new servers as needed without IT involvement.
2. Prioritization
Once you know the assets that you’ve got, the next question is whether you can afford to run a vulnerability assessment on all of them. In a perfect world, you would be running a vulnerability assessment regularly on all of your systems. However, vendors often charge per asset, so prioritization can help where budgets can’t cover every asset the company owns. Qualys for example charge a $500 per month subscription for their vulnerability scanners.
Some examples of where you may wish to prioritize are:
Internet-facing servers
Customer-facing applications
Databases containing sensitive information
3. Vulnerability scanning
Vulnerability scanners are designed to identify known security weaknesses and provide guidance on how to fix them. Because these vulnerabilities are commonly publicly reported, there is a lot of information available about vulnerable software. Vulnerability scanners use this information to identify vulnerable devices and software in an organization’s infrastructure. The scanner initially sends probes to systems to identify:
Open ports & running services
Software versions
Configuration settings
Based on this information, the scanner can often identify many known vulnerabilities in the system being tested.
4. Result analysis & remediation
After the vulnerability scan is complete, the scanner provides an assessment report. When reading and developing remediation plans based on this report, you should consider the following:
Severity: A vulnerability scanner should label a potential vulnerability based on its severity. When planning for remediation, focus on the most severe vulnerabilities first, but avoid ignoring the rest forever. It’s not uncommon for hackers to chain several mild vulnerabilities to create an exploit. A good vulnerability scanner will suggest timelines for when to fix each issue. Vulnerability Exposure: Remembering the prioritization above - not all vulnerabilities are on public-facing systems. Internet-facing systems are more likely to be exploited by any random attacker scanning the internet, making them a higher priority for remediation. After that, you’ll want to prioritize any employee laptops with vulnerable software installed. Additionally, any systems that host particularly sensitive data, or could adversely affect your business may need to be prioritized ahead of others.
5. Continuous cyber security
A vulnerability scan provides a point-in-time snapshot of the vulnerabilities present in an organization’s digital infrastructure. However, new deployments, configuration changes, newly discovered vulnerabilities, and other factors can quickly make the organization vulnerable again. For this reason, you must make vulnerability management a continuous process rather than a one-time exercise.
Since many vulnerabilities are introduced when software is developed, the most progressive software development companies integrate automated vulnerability assessments into their continuous integration and deployment (CI/CD) pipelines. This allows them to identify and fix vulnerabilities before the software is released, avoiding the potential for exploitation and the need to develop and ship patches for vulnerable code.
To conclude
Regular vulnerability assessments are critical to a strong cyber security posture. The sheer number of vulnerabilities that exist and the complexity of the average company’s digital infrastructure mean an organization is almost guaranteed to have at least one unpatched vulnerability that places it at risk. Finding these vulnerabilities before an attacker can mean the difference between a failed attack and a costly and embarrassing data breach or ransomware infection.