Vulnerability Assessment 101
Best Practices & Solutions for Assessing Vulnerabilities.
A vulnerability assessment is a systematic study of security flaws in an information system. This endeavor examines whether the system is vulnerable to any known vulnerabilities, gives severity ratings to those vulnerabilities, and offers remedy or mitigation, if and whenever required.
What Are Vulnerabilities?
A vulnerability is a flaw in computer security, that leaves the system open to damages caused by cyber attackers. Vulnerabilities have to be solved as soon as they are discovered before a cybercriminal takes advantage and exploits them.
Here is a list of some of the most often seen kinds of security vulnerabilities:
Vulnerabilities found in software
A software vulnerability is often detected in the code or design of the program in question. These vulnerabilities may enable attackers to gain remote control of computers without the user’s permission, execute illegal operations, or get access to sensitive information such as passwords and credit card information.
Vulnerabilities found in hardware
Attackers may overcome security protections and get access to sensitive data or resources on devices such as smartphones or laptops because of hardware vulnerabilities, which are often defects in the design of the device’s hardware.
Network vulnerabilities include weaknesses in network protocols that allow attackers to intercept data as it is sent over the internet, or eavesdrop on conversations between people using email.
Vulnerability Assessment Stages
This refers to how you define the purpose of this endeavor, as when performing an external scan, you assume the mantle of the attacker, trying to gain access to the company network.
This type of cybersecurity posture allows you to probe perimeter-based defenses such as firewalls, IDS – IPSs (Intrusion Prevention System and Intrusion Prevention System), host-based security controls, and web app firewalls. As far as internal scans are concerned, the purpose of this action is to test out the system’s architecture and ascertain the security of each layer. In ethical hacking, this is called an in-depth defense analysis.
Another aspect you should be familiarized with is the difference between authenticated and unauthenticated scans. In the case of the first, conducting a vulnerability scanning while logged in can help you gain access to some system functions that would otherwise be hidden. Naturally, this ability will undoubtedly help you stress-test the system. Keep this in mind when preparing any vulnerability risk assessment.
Scanning for vulnerabilities.
During the scanning phase, a tool or a set is used to narrow down vulnerabilities. Some of the vulnerability assessment tools utilized in this endeavor are:
1. Nikto v.2.0
A nifty open-source webs server scanner that allows you to perform various tests on your public-facing web servers. Though it’s free, Nikto 2.0 can pick up close to 7,000 malicious files and/or programs, check app versioning, do some logging, and of course, help you draft VRS reports. Really great if all you’re looking for is how to do a vulnerability scan.
Not exactly open-source, but the 30-day trial is more than enough to help you secure your systems – and to decide if it’s worth the long-term commitment or not. Intruder performs over 9,000 tests and checks, helps you identify missing patches, CMS issues, application bugs, and configuration issues.
3. NSP (Node Security Project)
Based on NPM dependencies and Node.js modules, Node Security Project’s open-source scanning tool will help you identify common and uncommon vulnerabilities. Its database is powered by NIST’s National Vulnerability Database.
4. Retina CS Community
Community-based VRS tool that can aid you in identifying unpatched applications, configuration mishaps, and more. Available on all major platforms.
5. Nexpose Community
Similar to Retina CS, Nexpose is also powered by the community – GitHub this time. Nexpose Community is a go-to solution for a lot of people looking to research system vulnerabilities without the need to purchase these solutions.
Remediation, Implementation, and Evaluation
After completing the preparation and scanning phases, you should look forward to the remediation phase, as now you will have to document all your findings and, of course, formulate solutions for the discovered vulnerabilities. The implementation and re-evaluation phases usually go hand in hand.
Why Is It Important To Regularly Assess Possible Vulnerabilities in Your Organization?
Your business partners could become a liability
Cybersecurity isn’t just about securing your company’s assets. It should extend to your business partners as well. Upon drafting a new commercial partnership contract, include one or more security provisions. Why is this essential? Because what might be construed as a golden ticket for business growth, can easily transform into a liability. With the onboarding process over, your partner will obtain access to your company’s virtual and physical assets. Basically, you will have had inherited the security vulnerabilities of your partner. Now, to safeguard your assets and avoid future litigations, make it your point to talk to your business partner about their security issues. You can even enforce a contractual clause to avoid future mishaps.
Cost cuts may harm your company’s cybersecurity
There comes a time when you have to face the fact that your company’s not on the right track. Action must be taken and, in most cases, this translates into cuts and the dreaded outsourcing. Re-thinking departments, reallocating resources, and outsourcing services are necessary, but not sound from a cybersecurity standpoint.
Budget cuts and other measures may prove harmful to your security. So is outsourcing for that matter; entrusting your precious assets to a third party is, if you will, an act of extreme courage. GDPR aside, keep in mind that the company you’re so willing to entrust your sensitive data to may use different security standards, standards that may or may not be compatible with the ones you utilize.
Outdated emergency plans and the lack of threat vulnerability management basics.
Vulnerability risk assessment isn’t limited to your virtual assets. Better said, VRS applies to all the aspects of your business continuity plan. In case of any emergency, the results of your vulnerability risk assessment sessions will help you define actionable plans. What’s this about VRS encompassing extra-virtual assets? Fire is a risk and a very big one. Of course, it has nothing to do with malware or hackers or cybersecurity – unless the building’s on fire and the hacker taps into your system and disables the sprinklers. And yes, your vulnerability risk assessment should include fire and other types of hazards, including cybersecurity. The emergency procedures based on the results of the VRS should be kept fresh and include newer threats.
Employee cyber-awareness, the Least Privilege and Zero Trust models.
When everything else fails, blame the human. According to a study by NMS Consulting, over 95% of successful data breaches can be traced back to human error.
And how do we prevent that?
With continuous education, of course. Periodical cybersecurity drills conducted by your CTO or security officer will undoubtedly curb your employees’ itchy trigger finger, significantly decreasing the risk associated with human error. If all else fails, check out the Principle of Least Privilege and the Zero Trust Model
We know that it’s always better to prevent than to fix, therefore you might employ continuous patching and updating in order to keep your digital assets safe.
Heimdal™ Threat Prevention might be the right choice for your business. Heimdal™ Patch & Asset Management, as our auto-patching engine, will ensure that your favorite apps (i.e. Windows, 3rd party, and proprietary) are up-to-date and risk-free. Heimdal™ Threat Prevention also packs the most advanced DNS traffic-filtering technology on the market. No malware escapes Foresight’s watchful gaze.
This article was originally written by Vladimir Unterfingher in September 2020, and was updated by Dora Tudor in February 2022.