What is a Vulnerability Assessment?
by Dwayne Williams, Associate Director – Technology, Research & Cyber Competitions
Browse any news site today and you’ll likely see an article about a recent ransomware attack. Pipelines, hospitals, schools and meat packing plants have all fallen victim to these attacks in recent times. The sad reality is ransomware attacks are not a “new thing” – they’ve been around since 1989. So, why haven’t we gotten better at fighting off and preventing these attacks? One possible reason is the “bad guys” are simply better at finding gaps than the average IT person. It’s what the bad guys do all day – look for ways to get into and exploit your organization’s network.
So how do you level the playing field? You need to find those holes in your network, policies, procedures and training before the bad guys do and a vulnerability assessment can help you do that. What is a vulnerability assessment? In the simplest terms, it’s a sanctioned effort to try and find your problems before the bad guys do.
You need to find those holes in your network, policies, procedures and training before the bad guys do and a vulnerability assessment can help you do that.
Examining everything for your entire organization can be time consuming and expensive, but vulnerability assessments can be divided into categories or phases to make them more manageable:
- External: An examination of your organization’s perimeter from the outside. This is the view an attacker will see when they first target your organization. You want to examine anything that’s visible from the Internet – public services like websites, VPN servers, firewalls, systems in the DMZ and so on.
- Internal: An examination of your organization from the inside to simulate what might happen if an attacker penetrated your organization or if one of your current employees “went rogue”.
- Application: Tests that focus on specific, critical applications, such as a customer website for a bank or online store for an e-commerce site.
- SCADA/IoT: Tests that focus on the “non-traditional”, such as HVAC systems, pipeline controls, manufacturing controls and so on.
- Cloud: An examination of your organization’s cloud-based systems and assets. This type of assessment is often tricky to do as you have to get permission and cooperation from the cloud provider.
Regardless of which type of vulnerability assessment is being performed, those performing the assessment have to be careful not to damage or disrupt the systems they are examining. It takes a fair amount of skill and knowledge to conduct a thorough vulnerability assessment without breaking things and for that reason many organizations hire someone else to do it.
There is no shortage of consulting firms that would be happy to conduct a vulnerability assessment for your organization and here are five distinct advantages to hiring an outside company.
- They can provide a “fresh look” at your organization with no assumptions or pre-conceived notions about the way things are supposed to work.
- They will likely find things no one in your organization considered or thought about.
- You get access to highly trained and skilled expertise without carrying them on your payroll full time.
- If anything unfortunate does happen, a professional consulting firm will have insurance to protect you from loss or damages (but make sure coverage is spelled out in the contract).
- You get a nice report outlining what they found and what you need to fix/implement/address to secure your organization.
While there are advantages to hiring out a vulnerability assessment, the reality is most small businesses simply don’t have the cash to do that. Your organization and your network change over time which means assessments can’t be a “one and done” type activity. If you can’t afford a professional vulnerability assessment on a quarterly basis, the next best thing is to have your own personnel run vulnerability assessment software such as Nessus Professional, Acunetix, Qualsys or Nexpose. There’s a learning curve associated with any assessment software package, but once your own personnel are up to speed, you’ll be able to run your own vulnerability assessments on a regular basis. New vulnerabilities are discovered every day, so the more often you can scan your organization the better.
You may be thinking “nobody would ever attack us, we’re too small” but the reality is no matter how large or small your organization is, bots, worms and attackers are constantly looking for a way into your systems. To keep your organization secure, you really need to find and plug those holes before the bad guys do. A vulnerability assessment will help you do that.