A vulnerability assessment is a process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications, and network infrastructures. These assessments provide the organization doing the assessment, the necessary knowledge, awareness, and risk background to understand the threats to its environment and react appropriately.
A vulnerability assessment process that is intended to identify threats and the risks they pose typically involves the use of automated testing tools, such as network security scanners.
This process is of great value to any organization, provided the security professional/auditor has a clear understanding of Vulnerability assessment. The results of these assessments are listed in a vulnerability assessment report prepared by the auditor. This process may involve automated and manual techniques with varying degrees of rigor and an emphasis on comprehensive coverage. Using a risk-based approach, different layers of technology may be targeted, the most common being host-layer, network-layer, and application-layer assessments.
Four basic checkpoints can be used to consider the vulnerability assessment as defined below:
Asset and Risk Identification
Identifying the economic cost of every asset and listing it down for permanent records assures the organization the most basic step towards Vulnerability assessment. An asset doesn’t necessarily include hardware or infrastructure; it also includes people of the organization. This helps in the prioritization of all the assets.
The analysis of strategic factors includes
- Risk appetite
- Risk tolerance level
- Risk mitigation practices and policies for each device
- Residual risk treatment
- Countermeasures for each device or service (if the service is correlated with the device)
- Business impact analysis
Threat evaluation and vulnerability appraisal
Researchers have found it really difficult to evaluate threats with increasing attacks. Threat evaluation is a difficult process due to many other dependencies attached to it. It includes natural disasters and human attacks physically or software. Maximum attacks found in any system are from insiders.
Post identifying the threats their impact analysis is also equally important. Vulnerability appraisal is a process to identify the severity and priority of the threat in reference to your organization. For eg, if you live in an area where cyclones are frequent, you should evaluate the threat to your organization at various levels
Ensuring An Assessment Technique
Various manual or automated techniques are being used for vulnerability assessment.
1- Baseline reporting – to baseline the basic process to be fairly followed by every running model. If something goes wrong this baseline should be considered as a reference. Updation of baseline should be at regular interval to ensure upgraded security
2- Assessment tools :
- Port scanner: Using this tool all TCP IP ports are scanned to find the open and exploited ports. Hence using any breached port can be analyzed and data security can be maintained.
- Sniffers: Also known as protocol viewers, these can view network traffic monitoring traffic Filters can be set to look at the selected network.
- Vulnerability scanner: These scanners are used to identify vulnerability in the system.
- Honeypot: They sit on the system and record the system attacks.
- Firewall: Hardening your system with strict firewall settings also acts as a guard against system attacks.
- Employee training trackers: A mandatory security training for every employee ensures the correct understanding of the organization’s security.
Vulnerability Assessment Report
Creating a report for vulnerability assessment doesn’t only fulfill the purpose of understanding the current organization security system but also baselines the definitions. This report would define all the loopholes in the system which might be a risk due to any attack, natural or man-made. A finding will be added for any possible gap between the results and the system baseline definition (deviations in any misconfiguration and discoveries made).
This report will also define a risk mitigation plan for each finding. Medium and high-risk vulnerability must include detailed data as defined:
- Vulnerability name
- The date of discovery
- The score, based on Common
- Vulnerabilities and Exposures (CVE) databases
- Description of the vulnerability
- Affected systems details
- Details on process correction
- A proof of concept (PoC) of the vulnerability for the system (if possible)
Considering the above factors, it is very evident how vulnerability assessment can be used for improving the security shape of an organization.