One way to secure IT assets, maintain an awareness of the vulnerabilities in an environment and respond quickly to mitigate potential threats is through regular vulnerability assessment (VA). A VA is a process to identify and quantify the security vulnerabilities in an organization’s environment. A comprehensive vulnerability assessment program provides organizations with the knowledge, awareness, and risk background necessary to understand threats to their environment and react accordingly.
Related post: Vulnerability Scan vs Vulnerability Assessment
The best way to take this first step in improving your IT security is to find a partner who can guide you through the process and the steps that – ideally – will follow.
To fully capture these benefits, you should view the VA as your initial or ongoing measurement in an ongoing process geared to improve organizational security posture.
The two key elements to reducing security risk are to understand the vulnerabilities present in the environment and responding accordingly.
At a technical level, vulnerability assessments involve three phases. In the first phase, organizations conduct an information gathering and discovery effort in order to better understand the hardware and software present in their environment. This frequently involves network scanning to discover hosts, port scanning to discover the services and protocols that might be vulnerable, and a review of directory service and DNS information to understand which hosts might be targeted by attackers.
Once the assessor has completed a full discovery effort to understand the hosts present in the environment, a more thorough review and enumeration of operating systems, applications, ports, protocols and services determines the full extent of the attack surface vulnerable to attackers. Especially important in this phase is to determine the version information of organization assets (for example, Windows 10 vs. Windows XP, SMB 3.1.1 vs. SMB 2.0) as subsequent versions frequently patch old vulnerabilities and introduce new ones.
A final phase of the assessment includes the actual detection of vulnerabilities, utilizing a detection tool or vulnerability repository like the National Vulnerability Database to identify the vulnerabilities on the assets enumerated earlier. This process generates reports, complete with scores and risk information. The final step of the phase is to use remediation tools to patch, configure, or debug assets as necessary to reduce or eliminate the security risks present due to the vulnerabilities detected.
Your VA reports like your measurements in a physical often need the interpretation and insight of a security veteran. This is why it’s crucial to work with an expert to determine which vulnerabilities require a simple patch and which demand more in-depth remediation. In many respects, it’s like getting an MRI scan of all your systems. Are they healthy or not? And which treatments will be most effective in bringing your customer databases, servers and other IT assets back to good health?
Vulnerabilities: Threats on the Rise
Security researchers, bug bounty programs, and product vendors are discovering and reporting new vulnerabilities daily. These vulnerabilities are frequently caused by either coding errors or by security misconfigurations. Coding errors, including the failure to check user input, allow attackers to improperly access system memory, data, or to execute commands (including buffer overflow and injection attacks). Of the vulnerabilities reported in Q1 2017, 68.1% are due to insufficient or improper input validation, often allowing attackers to steal company data. The failure to detect and mitigate vulnerabilities often makes front page news: there have been 1,254 publicly reported data breaches in Q1 2017 alone.
WannaCry, a massive ransomware attack affecting organizations around the world, targeted the EternalBlue vulnerability, first reported on April 14, 2017 before being used in the WannaCry attack on May 12, 2017. EternalBlue exploited a vulnerability in the Windows SMB protocol that allowed remote attackers to execute arbitrary code via crafted packets. Although Microsoft released a patch for the vulnerability on March 14, 2017, many organizations had not applied the patch in time and fell victim to WannaCry.
Organizations with strong vulnerability assessment programs were able to detect the vulnerability involved in WannaCry – CVE-2017-0144 – and apply the necessary patch, preventing disaster.
A vulnerability assessment informs organizations on the weaknesses present in their environment and provides direction on how to reduce the risk those weaknesses cause. The vulnerability assessment process helps to reduce the chances an attacker is able to breach an organization’s IT systems – yielding a better understanding of assets, their vulnerabilities, and the overall risk to an organization.
For organizations seeking to reduce their security risk, a vulnerability assessment is a good place to start. It provides a thorough, inclusive assessment of hardware and software assets, identifying vulnerabilities and providing an intuitive risk score. A regular assessment program assists organizations with managing their risk in the face of an ever-evolving threat environment, identifying and scoring vulnerabilities so that attackers do not catch organizations unprepared.