What You Need to Know About Vulnerability Assessments
by Robert Bond
How Vulnerability Assessments Differ Across Providers
In our Vulnerability Management – A Best Practice blog post, we suggested vulnerability assessments were the process of scanning for and identifying possible vulnerabilities and risks within an organization’s systems. We further suggested that vulnerability management exists for the purpose of identifying and remediating vulnerabilities in systems quickly before they are exploited. Vulnerabilities, which are essentially flaws or weaknesses within the software can lead to a system or network that can be exploited by attackers.
These vulnerabilities must be identified, assessed, and patched regularly to ensure that they are not uncovered and exploited by attackers. To create and maintain a strong security posture, business owners and security staff must be aware of the vulnerabilities or flaws on their systems and create a process by which they can be quickly patched. It has been made clear through countless attacks across small and large businesses as well as government entities that If vulnerabilities are not identified or remediated, companies leave themselves open to an attack.
An effective vulnerability assessment can dramatically decrease an organization’s cybersecurity risk. In this blog post, we will describe what to look for when evaluating potential vulnerability assessment services.
Vulnerability Assessments Are Not the Same as Penetration Tests
First, let’s clear up some inevitable confusion that often leaks into any vulnerability assessment discussion. Vulnerability assessments and penetration tests are both designed to identify vulnerabilities within an organization’s cybersecurity defenses. However, they have different purposes and carry out the vulnerability discovery process in different ways.
We spent considerable time discussing the difference between vulnerability assessments and penetration tests in the following blog posts:
A vulnerability assessment is designed to provide a surface-level assessment of the vulnerabilities that exist within an organization’s software or applications. This type of assessment is usually automated and designed to identify unpatched systems and software containing exploitable vulnerabilities.
A penetration test, on the other hand, is largely a manual process. A skilled ethical hacker will use the same tools, techniques, and procedures that a cybercriminal would while attacking an organization’s network. This provides a much deeper view of potential attack vectors and can include non-technical security assessments, such as checking for physical security issues or using social engineering.
Should I Start with a Vulnerability Assessment or Penetration Test?
Ideally, an organization should undergo both vulnerability assessment and penetration tests regularly. However, if a choice needs to be made between them, then the right choice depends on the organization’s current level of security maturity and the goal of the assessment.
A vulnerability assessment is designed to identify “low hanging fruit” and the types of vulnerabilities that can be easily exploited by automated tools. If an organization does not have a robust vulnerability management program in place, undergoing a vulnerability assessment can dramatically decrease the organization’s cybersecurity risk.
A penetration test builds upon the results of a successful vulnerability assessment by identifying the vulnerabilities and attack vectors used by more sophisticated threats. If an organization’s public-facing applications are relatively secure or the goal is to address the risk of a specific threat, then a penetration test is the right choice.
As we suggested in previous blog posts, we recommend starting with a vulnerability assessment to identify the critical patches that need to be applied in order to eliminate the “low hanging fruit.” Or to be crystal clear, to eliminate the 80% of vulnerabilities as quickly as possible before focusing on the 20% that will likely be uncovered during a penetration test.
How a Vulnerability Assessment is Performed
Vulnerability assessments are performed by using one or more automated vulnerability scanning tools. An assessment is performed using a three-step process.
First, the vulnerability scanner needs to identify the attack surface that it will be scanning for vulnerabilities. At the beginning of an assessment, the customer will give the service provider a list or range of IP addresses to scan. The vulnerability scanner takes this list and scans the target IP addresses to determine ports are open. Each of these open ports has an application listening to it that must be scanned for exploitable vulnerabilities.
Next is the vulnerability discovery phase; the scanner attempts to identify known vulnerabilities in applications based upon certain features. For example, a certain version of an application may be known to have a certain vulnerability, so the scanner may determine the application’s version number to see if it is a match. Alternatively, a vulnerability scanner may send malformed input (such as an SQL injection attack or a cross-site scripting exploit) to an application and see how it responds.
Finally, a quality vulnerability assessment provider generates a report for the client. This report should detail the vulnerabilities identified and their relative severities and provide some guidance for remediation. Based on this, an organization should be able to identify and fix the issues within their applications.
Types of Vulnerability Assessments
Most vulnerability assessments use the same tools and automated scanners. However, the method in which the assessment is performed can impact its results and the number and types of vulnerabilities that it detects:
- Internal vs. External: Typically, an attacker starts from outside the organization’s network; however, this is not always the case. Performing an internal vulnerability scan means running it from a device within the enterprise network (i.e. behind the firewall). This assesses the organization’s vulnerability to insider threats or to an attacker that is looking to expand the access gained by stealing employee login credentials or exploiting some other vulnerability.
- Authenticated vs. Unauthenticated: Most attacks against an organization’s public-facing applications are unauthenticated; with the attacker only having access to the applications and functionality that are publicly visible. However, an attacker that has compromised some user or employee credentials can use them to gain access to additional, potentially critical functionality within an application that will allow the attacker to access sensitive information or damage data. An authenticated scan uses valid credentials as part of the scanning process to enable it to identify vulnerabilities accessible only to authenticated users.
Ideally, an organization should perform a vulnerability assessment in as many of these combinations as possible. This provides a comprehensive view of its current attack surface and enables it to effectively decrease its cybersecurity risk exposure.
How to Choose a Vulnerability Assessment Provider
A number of different automated vulnerability scanners are available for purchase, meaning that anyone could theoretically perform their own vulnerability scanning. If you are working with a service provider for vulnerability scanning it is important to ensure that you are getting some benefit beyond what a standalone scanner can provide, such as:
- Demonstrated Expertise: While anyone can run a vulnerability scanner, it takes a certain amount of knowledge to design and configure a test to achieve a certain purpose. Since the Equifax breach may have been made possible by a misconfigured vulnerability scanner, it is important to ensure that a vulnerability scan actually is doing what it should and does not create a false sense of security.
- Sample Reports: A vulnerability assessment should produce a report detailing the vulnerabilities discovered, the severity of the vulnerability, and guidance on eliminating or remediating the flaws. Before selecting a vendor, request sample vulnerability scan reports to ensure that they provide adequate information to enable the vulnerability to be successfully identified and remediated.
This is critical! Many MSSP’s and other security providers that deliver vulnerability assessments only provide scanner reports; make sure your provider delivers clear, actionable recommendations.
- Vulnerability Management Support: Vulnerability scanning is not a full vulnerability management program; after identifying a vulnerability, it is also clearly necessary to fix it. Since this can require in-depth technical and cybersecurity knowledge, choose a vulnerability assessment provider that also offers vulnerability management consultation. Implementing a vulnerability management program will help ensure that the organization does not continuously find itself chasing vulnerabilities and can effectively act upon the information provided in the vulnerability scanner report.
Not all cybersecurity assessment services are created equal, and a bad assessment can be worse than no assessment at all as a bad assessment may provide a false sense of security. Take the time to carefully consider the services that a vendor offers and ensure that they meet the organization’s security needs.
Ultimately, the overall security posture of your company is comprised of the ongoing plan you have in place for identifying vulnerabilities as well as how quickly your security team can patch the flaws and respond to threats as they arise. Simply having an expensive vulnerability scanner or security partner to handle the scans and provide line item vulnerabilities is not enough to ensure that vulnerabilities are remediated in a timely manner.
Further, proper configuration of the increasingly technical scanners is essential to eliminating vulnerabilities. In addition, while a one-time assessment often meets a short-term objective concerning insurance or compliance obligations it does not offer sufficient protection against new threats and certainly not to future vulnerabilities that will inevitably arise.
To ensure your security dollars are not wasted when new vulnerabilities are exploited, run scans consistently, and dedicate part of your team to remediate vulnerabilities. If you do not have a dedicated security team, consider hiring a trusted, outside source to not only assess the security posture of your company at this time but also to recommend ongoing measures to actively protect the information and systems for your organization.
A vulnerability management process consists of five phases:
- Vulnerability scan
- Define remediating actions
- Implement remediating actions
SecureOps experts are available to provide additional vulnerability assessment and management consultation at your convenience.
To Learn More About Vulnerability Assessments and Management or If You Have Been Attacked Please Call Us – as Always, We Are Happy to Help – 1 (888) 982-0678.
You Can Also Fill Out Our Contact Us Form Here to Talk with a Security Specialist – https://www.secureops.com/contact-us/
October 15, 2020