What is Vulnerability Management?
What is the benefit of vulnerability assessments?
Vulnerability management is a process that aims to make the company or organisation less vulnerable to attacks and to minimise business-critical security incidents.
Vulnerability assessment is a systematic review of the security vulnerabilities in an information system. It assesses whether the system is vulnerable to known vulnerabilities. Severity levels are assigned to the vulnerabilities found and remedial action or mitigation is recommended if and when necessary.
By means of the analysis, a snapshot of the infrastructure is created and checked for any deficiencies in its configuration. This enables an assessment of the state of the security systems implemented on networks, client/servers (hosts) or applications.
Examples of threats that can be prevented by this are:
- SQL injection, XSS and other code injection attacks.
- Escalation of privileges due to faulty authentication mechanisms.
- Insecure default settings – software shipped with insecure settings, such as an easy-to-guess admin password.
What are the different types of vulnerability assessments?
The different types of vulnerability assessments include the following:
The rating of critical servers that may be vulnerable to attack if they have not been adequately tested or have not been created from a tested host image.
Network and Wireless Assessment
The assessment of policies and practices to prevent unauthorised access to private or public networks and network-accessible resources.
Assessing databases or Big Data systems for vulnerabilities and misconfigurations, identifying rogue databases or insecure development/test environments, and classifying sensitive data in a company’s infrastructure.
Application Scans (Web Application Scans)
The identification of security vulnerabilities in web applications and their source code through automated scans at the frontend or static/dynamic analysis of the source code.
What are the goals of a vulnerability assessment?
- Risk reduction of the exposure of the infrastructure
- Identification of active servers in the network and visualisation of related services
- Rapid identification of the most critical attack surfaces
- Detection of security misconfigurations
- Checking software update status
- Verification of system hardening
- Standard credential usage report
How does a vulnerability assessment work?
The process consists of four steps: testing, analysing, evaluating and remediating.
- Identification of the vulnerability (testing)
The goal of this step is to create a comprehensive list of an application’s (app’s) vulnerabilities. Security analysts test the security state of applications, servers or other systems by scanning them with automated tools or testing and assessing them manually.
Analysts also rely on vulnerability databases, vendor vulnerability reports, asset management systems and threat intelligence feeds to identify security vulnerabilities.
- Vulnerability analysis
The aim of this step is to determine the source and cause of the vulnerabilities identified in the first step.
This involves identifying the system components responsible for each vulnerability and the main cause of the vulnerability.
- Risk assessment
The goal of this step is to prioritise the vulnerabilities. In doing so, security analysts assign a rank or severity to each vulnerability based on factors such as:
- Which systems are affected?
- What data is at risk?
- Which business functions are at risk?
- Ease of attack or compromise?
- Severity of attack?
- Potential damage as a result of the vulnerability?
The goal of this step is to remediate security vulnerabilities. It is usually a joint effort between security staff, development and operations teams to determine the most effective way to fix or mitigate each vulnerability.
Specific steps to remediation may include:
- The introduction of new security procedures, measures or tools.
- The updating of operational or configuration changes.
- The development and implementation of a vulnerability patch.
How often do vulnerability assessments need to be carried out?
Vulnerability assessment cannot be a one-off activity. To be effective, organisations need to operationalise this process and repeat it at regular intervals.
It is a best practice to schedule regular, automated scans of all critical IT systems. The results of these scans should be incorporated into the organisation’s ongoing vulnerability assessment process.
Since vulnerability assessments are not a one-time thing, it is essential that management is involved in the security analysis process from the beginning. This is the only way to ensure that the human and financial resources are made available within an organisation to establish an ongoing process.