Vulnerability Assessment

Cybersecurity is a constant race between attackers searching for weaknesses to exploit and defenders working to secure them. New vulnerabilities – weaknesses that may be exploited by an attacker – are discovered every day. As many as 15,000 new vulnerabilities are discovered each year, with many affecting major software systems including web browsers, operating systems, and other applications. Vulnerabilities, including missing patches and misconfigured applications, expose weaknesses to attackers and open organizations to costly cyber-attacks.

A vulnerability assessment informs organizations on the weaknesses present in their environment and provides direction on how to reduce the risk those weaknesses cause. The vulnerability assessment process helps to reduce the chances an attacker is able to breach an organization’s IT systems – yielding a better understanding of assets, their vulnerabilities, and the overall security risk to an organization

What is Vulnerability

A weakness of an asset or group of assets that can be exploited by one or more threats.  A vulnerability is more than just a technical issue, it can be a weakness in ANY asset, process, or a policy violation which can be exploited to compromise security.

Vulnerability Assessment Process

  • Determine the hardware and software assets in an environment

  • Determine the quantifiable value (criticality) of these assets

  • Identify the security vulnerabilities impacting the assets

  • Determine a quantifiable threat or risk score for each vulnerability

  • Mitigate the highest risk vulnerabilities from the most valuable assets

How We Help

  • Assessing the environment by collecting information through interviews, scanning, diagrams and documentation. Determine what regulatory, compliance and industry requirements are involved with managing vulnerabilities

  • Determining if assets have been classified for business criticality and are tracked through an asset management database. Discover rogue systems and devices and begin efforts to identify owners for the business need for unmanaged technologies.

  • Assessing the existing infrastructure to identify security policies and risk management models. Translate policies to technical checks such as the enforcement of an 8 character password or the use of default system passwords.

  • Understanding the resources that belong to your organization and which do not. A reliable asset management process is necessary for the success of any vulnerability management program. The asset management solution should be able to tie into the help desk and trouble ticket system for centralized tracking.

  • Identify and understand current business and technology objectives that require security involvement. Identify business drivers and how IT and security can drive the results.

  • Security Intelligence information can significantly decrease the time required to apply and deploy patches in the organization. A database is maintained with your technologies and Alerts will only be sent when you are affected.

  • Analyzing existing audit and security reports to identify existing security weaknesses.

  • Vulnerability scan output should be analyzed to remove false positives and insignificant findings. Track the new, reoccurring and corrected vulnerabilities.

  • Identify change control windows allowed for scanning across the organization. Work with IT management to obtained an agreed upon time and intensity of scanning. Regardless to the tool or methodology, a risk exists to crash the server.

  • Analyze the identified vulnerabilities to make sense of the information. Combine or remove vulnerabilities and identify root causes.

  • Addressing strategy to evaluate identified vulnerabilities and determine false positives, criticality and feasibility.

  • Determine the acceptable limit of false positives allowed in each report. Work with the vulnerability assessment tool vendor to reduce the number of false positives.

  • Developing an effective risk weighting system for vulnerabilities which takes business processes, asset value and likelihood to determine risk ratings.

  • Focusing on the high risk areas for the company first to protect perimeters and critical business applications. All of the identified vulnerabilities (potentially 10,000+) do not need to be corrected immediately.

  • Prioritization and validation of vulnerabilities is one of the most time consuming but important steps. Work within configuration baselines for each technology to identify and document the remediation steps required.

  • Combine reports from various tools and processes to obtain a holistic understanding of the risk to the applicable applications, technology, processes and personnel.

  • Align priority vulnerabilities with asset classification to remediate the highest risk systems first. Leverage deployment and configuration management technology for speedy remediation.

  • Perform compliance monitoring through continued scans to verify the vulnerability is corrected. System restores and new patches may reintroduce the vulnerability.

  • Reporting the current status of the vulnerability management program to management periodically. Define the key issues and challenges for your organizations security program and the progress you have made to achieve the goals. Integrate the vulnerability management progress with your other security initiatives.

  • Map protection efforts against business applications and not just physical servers.

  • Reporting also created based on the existing organizational chart, usually by business unit or geographic region.