By Mary Grlic
Do you fully understand the system vulnerabilities within your business? How do you find ways to mitigate such risks/threats and improve internet safety? What would you do if you found out that a company device or server has been compromised? What steps would you take to prevent it? Perhaps you’ve heard of a vulnerability assessment, which could be one step in your data security routine to help with any threats.
The risk of falling victim to a cyber attack is only increasing, and if your organization doesn’t properly protect itself, you or your business could be at risk for such a threat. So what can be done to prevent a cyber attack? A routine vulnerability assessment is a necessity for all organizations to mitigate risk.
So What is a Vulnerability Assessment?
A vulnerability assessment is a review of security weaknesses (“vulnerabilities”) in an information system. NIST (The National Institute of Standards and Technology) defines a vulnerability assessment as a, “systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.”
A vulnerability can refer to any software flaw that could be harmful to a system’s security. Some examples of a system vulnerability include malware, outdated operating systems, or bad backups. Organizations must do their best to identify, mitigate, and respond to any and all vulnerabilities within their systems.
A vulnerability assessment – simply called a “VA” – includes different tasks, such as:
- Security control checks
- Analyzing routers and Wi-Fi networks
- Reviewing network security and strength
- Scanning network ports
- Assessing applications or downloads
Risk Assessment vs. Vulnerability Assessment
These two assessments may seem similar but actually have key differences. If your organization is looking for either of these tests, it’s important to understand the variations to decide what’s best for you. A risk assessment may be a part of a vulnerability assessment. Risk assessments are possible threats related to technology use and are commonly identified during new projects or undertakings. Vulnerability assessments, on the other hand, focus on weaknesses within a system that attackers can exploit or corrupt. A risk assessment looks outside of an organization for possible threats, whereas a vulnerability assessment identifies any structural problems within an organization.
The Steps of a Vulnerability Assessment
1. Identify Risks and Assets
Similar to a risk assessment, a vulnerability assessment starts with finding any potential threats to a system. However, a vulnerability assessment looks one step further by looking within the current system – the IT “assets” – to better understand the vulnerabilities an organization may face.
Known as the analysis process, this allows your organization to better understand why you are experiencing certain weaknesses. During this phase, possible threats are found and the source and root cause of any vulnerabilities are identified.
3. Perform a Vulnerability Scan
The following step is a vulnerability scan. This is meant to identify any security weakness within an information system. A network administrator and/or your IT staff will likely perform these scans. There are several types of vulnerability scans (as explained below). These scans differ based on the type of assets they scan, the origin of the scan, and security of the network. Your organization may choose one over the other depending on what particular vulnerability you’re facing.
4. Create a Vulnerability Report
A vulnerability report will include a summary of each weakness, its impact and mitigation strategies. In order to attain the best results, these reports are detailed and available as soon as possible. Some things you’ll want to include in your VA report are the following: vulnerability name, discovery date, description of the vulnerability and its affected systems, correction process, and proof of concept (POC) of the vulnerability for the system.
Types of Vulnerability Scans
A vulnerability scan is one of the steps of a vulnerability assessment to find any threats in the system. There are several types of scans, each assessing different weaknesses that may be in your system.
1. Host Scan
A host scan looks at vulnerabilities related to the hosts on a network, like servers and laptops. This type of scan will investigate host configuration, file system, memory setting, and more host based information.
2. Network Scan
Sometimes confused with a host scan, a network scan analyzes communication channels and networking equipment. However, these scans do not look at the host system like a host scan would. On the contrary, network scans identify weaknesses in software and hardware devices like firewalls and servers.
3. Wireless Based Scan
Wireless scans look at all of the wireless devices within a network, like WiFi (wireless internet connection) and access points. These systems may experience unauthorized access to private or public networks, which can be a huge threat.
4. Database Assessment
A database assessment will identify weaknesses within an organization’s database and information system. This may include sensitive data or rogue databases. For example, SQL injection attacks allow for hackers to inject malicious code into a SQL database. These sorts of cyber attacks can be very harmful to your network.
5. Application Scans
These scans identify any security vulnerabilities in web applications or downloads. For example, someone in your organization may download an application from the web that has faulty source code and makes your system vulnerable to threats. Since apps are so easy to download, it makes it even easier for them to weaken your device. Therefore, an application scan should not be overlooked.
Assessing your Vulnerabilities
How can you understand the results of your vulnerability assessment on a standard scale? There’s actually a way to measure the severity of your vulnerability assessment outcome, that way you can understand the threats. The Common Vulnerability Scoring System (CVSS) provides an open framework for vulnerability metrics. This system is based on three metric groups: Base, Temporal, and Environmental. The National Vulnerability Database (NVD) supports two types of CVSS scores, v2.0 and v3.0. They provide numeric and qualitative scores and ranges with their scores. For example, your organization may receive a 4.5 base score, which is a “medium” severity ranking as per CVSS v2.0 rankings. Overall, CVSS is a great standard method to better understand and assess vulnerabilities within your organization.
The importance of a vulnerability assessment
Vulnerability assessments are especially important in today’s world which is full of constantly changing technology and cyber threat on the rise. Simply put, they give an organization the details of any security weaknesses within its system. Also, organizations can assess any threats and take action to keep their system safe. Vulnerability assessments cover many bases to ensure total protection for your organization.
Some organizations require vulnerability assessments for compliance. For example, those who follow HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standard), and GDPRs (General Data Protection Regulations) must undertake regular VAs in order to remain compliant.
Regardless of whether your organization technically needs a vulnerability assessment, it’s highly advised that every business completes a VA. These assessments will allow your organization to:
- Detect weaknesses before it is too late
- Keep an organized list of all devices
- List potential vulnerabilities and monitor them
- Define a mitigation plan
- Understand the risks you face
- Make sure your network is as safe as possible
- Keep your organization working with effective measures
Vulnerability Assessments and Keeping your Business Safe and Sound
As the world becomes more intertwined with the internet, vulnerability assessments are critical. Unfortunately, data breaches have become an unwelcome reality for many organizations. Industries like healthcare, manufacturing, and finance are some of the biggest targets for ransomware. Companies can also often face phishing scams, which are capable of damaging entire systems. Malware attacks are becoming more common and more dangerous as well, with new viruses that can take control of the most basic and essential parts in a device (take the CosmicStrand rootkit virus, for example). Additionally, malware is becoming even more sophisticated with modern-day AI threatening organizations. These are just some of the threats that organizations face – and it’s only getting worse. Therefore, every business should do their best to prevent them. Frequent VAs will take the necessary steps to best protect your organization by looking within a network for any weaknesses.
At Computero, we help our customers all across the New York area protect their organizations with vulnerability scans. We know that VAs are essential for all small and medium sized businesses. Contact us if your organization is ready to benefit from a vulnerability assessment.