source : att.com
Vulnerability Assessments: Steps, Methodology Explained
This blog was written by a third party author.
What is a vulnerability assessment?
Vulnerability assessment is the process of defining, identifying, classifying, and prioritizing vulnerabilities in systems, applications, and networks. It provides an organization with the needed visibility into the risks that exist concerning external threats designed to take advantage of vulnerabilities. At a tactical level, the vulnerability assessment process can help organizations identify potential methods of unauthorized access by which threats can gain entry to the organization’s network. Assessments (and fixes based on the results) need to be performed before the vulnerabilities found can be exploited.
Every organization faces the risk of cyberattacks—regardless of organization size—so it’s beneficial to perform some form of vulnerability assessment regularly. Larger enterprises and those organizations experiencing ongoing attacks may benefit most. Assessments can be performed by internal IT security teams or outsourced to third parties that focus on security services.
4 steps to a vulnerability assessment
Assessing the current state of vulnerabilities is a bit more involved than installing vulnerability scanner software and hitting the “Scan” button. Vulnerability assessments are the foundational element of your organization when putting proper security controls in place. It requires some proper planning, prioritizing, and reporting. The process of performing a vulnerability assessment can be broken down into the following 4 high-level steps.
Risk-based Cyber Posture Assessment
Get a quick assessment of your security posture and make a plan to get where you want to be.
Step 1: Initial assessment
The goal here is to understand the importance of devices on your network and the risk associated with each. Risk can be determined using several factors, including but not limited to:
Whether a given device is accessible to the internet (whether via internal or external IP addresses)
Whether the device is publicly accessible to anyone (such as a kiosk machine)
Whether a device’s users have low-level or elevated permissions (such as administrators)
The device’s role in business processes
The determined risk can be used to prioritize the remainder of the assessment and establish the proper order for the vulnerability assessment scans. It can also be used as input for a business impact analysis that is a part of an enterprise risk management initiative.
Step 2: Define a system baseline
For each given device to be assessed for vulnerabilities, it’s necessary to understand whether its configuration meets basic security best practices. Some of the configuration factors that should be a part of a baseline include:
Operating system (OS), version, and service pack or build, if applicable
Installed services and required ports
Any unnecessary open ports
Any special security configuration, if applicable
Approach each device as if you were an malicious actor; when you perform a scan in the next step, you want to see what an internal or external threat actor can access, and be able to compare that against known vulnerabilities and insecure configurations so you can interpret the results of the scan properly. In addition to the configuration factors, gathering up any additional detail known about the system (such as log data pushed into a SIEM solution), and any already-known vulnerabilities for the specific OS and version, any installed applications or any enabled services, will be useful.
Step 3: Perform a vulnerability scan
There are a few options available when it comes to vulnerability scans. Each one provides a bit of different context to the results. In general, vulnerability scans are performed either via unauthenticated or authenticated means. In an unauthenticated scan, a system is assessed from the network perimeter, looking for open ports and testing for the use of exploits and attacks. An authenticated scan will perform a credentialed scan of the operating system and applications looking for misconfigurations and missing patches that can be taken advantage of by threat actors, such as weak passwords, application vulnerabilities and malware.
Part of the vulnerability assessment is purely done from the perspective of having a good security posture. But, organizations in regulated industries or those subject to specific compliance laws need to consider scanning to provide that security-specific mandates are met. For example, businesses accepting credit cards need to confirm that they meet requirements found in section 11.2 of the Payment Card Industry Data Security Standard (PCI DSS). Likewise, those businesses subject to regulations like Health Insurance Portability and Accountability Act (HIPAA), The General Data Protection Regulation (GDPR), and others should look to perform scans that confirm adherence to compliance regulations.
Step 4: Vulnerability assessment report creation
Reporting is critical because it outlines the results of the scan, the risk and importance of the devices and systems scanned, and the next steps that should be taken. It’s been said that a report is only as valuable as the actions taken because of it, so it’s important that vulnerability assessment reporting be actionable.
Reporting should include pertinent details that can be used to respond to found vulnerabilities, including:
The date of discovery
Common Vulnerabilities and Exposure (CVE) database reference and score; those vulnerabilities found with a medium or high CVE score should be addressed immediately
A list of systems and devices found vulnerable
Detailed steps to correct the vulnerability, which can include patching and/or reconfiguration of operating systems or applications
Mitigation steps (like putting automatic OS updates in place) to keep the same type of issue from happening again
Reporting provides an organization with a full understanding of their current security posture and what work is necessary to both fix the potential threat and to mitigate the same source of vulnerabilities in the future.
About the Author: Nick Cavalancia
Nick Cavalancia is a Microsoft Cloud and Datacenter MVP, has over 25 years of enterprise IT experience, is an accomplished consultant, speaker, trainer, writer, and columnist, and has achieved industry certifications including MCSE, MCT, Master CNE, Master CNI. Nick regularly speaks, writes and blogs for some of the most recognized tech companies today on topics including cybersecurity, cloud adoption, business continuity, and compliance.
Read more posts from Nick Cavalancia ›
At What Point In A Vulnerability Assessment Would An – At what point in a vulnerability assessment would an attack tree be utilized? The Correct Answer is. a. Vulnerability appraisalb. Risk assessmentc. Risk mitigationd. Threat evaluation. Reason Explained. a. Vulnerability appraisalb. Risk assessmentc. Risk mitigationd.Here is the answer for the question – At what point in a vulnerability assessment would an attack tree be utilized?. You'll find the correct answer below At what point in a vulnerability assessment would an attack tree be utilized? The Correct Answer is a. Vulnerability appraisalb. Risk assessmentc. Risk mitigationd.Attack Tree-based Risk Assessment Deliverables…..33 A Credible Due Diligence Understanding Risk Through Attack Tree Analysis Attack Tree Theory Introduction Vulnerability All systems suffer from one or more vulnerabilities. A vulnerability is a weakness in a
At What Point In A Vulnerability Assessment Would An – Vulnerability assessment is the process of identifying, classifying, and prioritizing security vulnerabilities in IT infrastructure. A comprehensive vulnerability assessment evaluates whether an IT system is exposed to known vulnerabilities, assigns severity levels to identified vulnerabilities, and recommends remediation or mitigation steps where required.Vulnerability assessment is the process of defining, identifying, classifying, and prioritizing vulnerabilities in systems, applications, and networks. It provides an organization with the needed visibility into the risks that exist concerning external threats designed to take advantage of vulnerabilities.A more reasoned approach may be to use the attack tree tool illustrated on page 307. In this method, you start by postulating a particular threat. This is the root of the tree. The first level of branches are potential exploits that would lead to this threat being a reality.
PDF Understanding Risk Through Attack Tree Analysis – Vulnerability Assessment Process. Here is the step by step Vulnerability Assessment Process to identify the system vulnerabilities.. Step 1) Goals & Objectives: – Define goals and objectives of Vulnerability Analysis.. Step 2) Scope: – While performing the Assessment and Test, Scope of the Assignment needs to be clearly defined.. The following are the three possible scopes that exist:At what point is a vulnerability assessment would an attack tree be utilized? D 2. In software development process when should a design review be conducted? C 3. A(n) _____ attempts ro penetrate a system in order to perform simulated attack. A 4. A(n) _____ is an agreement between two parties that is legally enforceable? C 5.With the wide application of computer network, network security has attracted more and more attention. The main reason why all kinds of attacks on the network can pose a great threat to the network security is the vulnerability of the computer network system itself. Introducing neural network technology into computer network vulnerability assessment can give full play to the advantages of