What Is A Vulnerability Assessment?

An underlying cause of breaches and exploits is improper or lack of vulnerability testing. A vulnerability can be broadly described as a weakness in a system, operational process, or design that a threat can exploit. Testing for vulnerabilities is an important component of proactive cybersecurity and system hardening. A vulnerability assessment is a review and evaluation that tests a system to identify potential flaws that can be exploited. This is done to mitigate any potential system compromise. The identified vulnerabilities can be patched, reducing the attack surface.

Vulnerability assessments test SQL and command injections, buffer overflow, cross-site scripting, software implementation, open ports, etc. Improper or lack of authentication is one of the most common weaknesses found in information systems. Each weakness is assigned a value of criticality that determines how urgently it needs to be addressed. An organization will greatly determine its risk management plan based on the results of a vulnerability assessment. Therefore, vulnerability assessments are great tools in determining overall security posture.

It can be difficult to determine the best way to conduct a vulnerability assessment, especially on large networks. Therefore, it is imperative to be aware of and identify everything on the network. This is the first step of a vulnerability assessment. Afterward, scans of the target system will be carried out. While scans are valuable tools in conducting vulnerability assessments, it is vital to review and analyze scan results for anything that may have been missed. Lastly, vulnerability assessment results are applied to the risk management and patching of the tested system.

Vulnerability Assessment Components

Scope Identification - The scope of a vulnerability assessment is the extent to which the assessment will reach. In other words, identifying the scope is the process of determining what specifically is to be tested for potential exploits. This could be one or more networks, supply chains, applications, databases, etc. Moreover, the assessment subjects need to be assigned a level of importance or security level. The scope for a vulnerability assessment of an organization should be all-encompassing to avoid security gaps.

Scanning - A vulnerability scanner is a tool used to get a detailed picture of the system. This is done by checking open ports, software being run, improper configurations, lack of security controls, etc. Vulnerability scanners can be active or passive. A passive scanner, such as Shodan.io, does not interact with the target network. Conversely, an active scanner interacts directly with the target network. This includes tools such as Nessus and OWASP ZAP.

Analysis - Based on the criteria defined in the scope and the results of an in-depth scan, the root causes for the vulnerabilities need to be addressed. A thorough review of the vulnerability scan should categorize vulnerabilities from critical to low priority. Prioritization is done through analysis of scans; low priority vulnerabilities are still exploitable. Correct prioritization of found weaknesses will determine the course of action for the assessed organization or system. Prioritization will be unique and differ with each organization.

A proper analysis needs to take into consideration the tools and methodology used to assess the target system. Some scanners might not check for the newest types of exploits. An analyst should use a diversity of scanners and open source tools to obtain the most accurate and exploitable weaknesses. This is the best way to understand how to mitigate the found vulnerabilities fully. The obtained scan results should be correlated with known system vulnerabilities, especially newer exploits. The analysis is the key takeaway from a vulnerability assessment because it conveys the information needed to strengthen the overall security posture.

Vulnerability scanning analysis takes into consideration the following:

• Affected Systems
• Sensitive Information at Risk
• Affected Business Operations
• Impact of Potential Attack
• Difficulty of Exploitation

Several of the listed factors determine the criticality of a vulnerability and its contribution to the risk management of an organization. The goal of vulnerability analysis is to describe each vulnerability’s root cause accurately and the impact it could have if left unchecked. This is a required step towards the broader goal of vulnerability management.

Why are Vulnerability Assessments Important?

Vulnerability assessments are essential to system hardening. Regular checks for system weaknesses should be routine. Regular assessments ensure that the target system will remain protected from newer threats. When done properly, the process should reduce the chances of a system being breached or compromised. Proper vulnerability assessments provide the data needed to help mitigate any holes in the tested system. Vulnerability assessments should include the target system in its entirety and utilize a combination of scanners to conduct a proper analysis of specified vulnerabilities. Also, frequent assessments are crucial to vulnerability management plans. Cybersecurity posture is greatly determined by attack surface - vulnerability assessments determine how large this surface is. Ultimately, vulnerability assessments achieve the goal of identifying exploitable weaknesses, prioritizing risks, and deciding on a mitigation approach.

References

Dunn, S. (2017, January 26). NIST 800-53: Vulnerability Management. Retrieved from https://www.tenable.com/sc-dashboards/nist-800-53-vulnerability-management
Saydjari, O.S. (2018).Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time. McGraw-Hill Education.