Get to Know Vulnerability Assessment
Learning Objectives
After completing this unit, you’ll be able to:
- Define common vulnerability assessment terms.
- Describe the goals of vulnerability assessment.
- Explain vulnerability assessment methodologies.
Vulnerability Assessment Lingo
Whether your organization builds custom applications, provides cloud communications platforms, specializes in network security, or more, it’s important to verify that your systems are secure. One of the most important ways to do so is to assess and analyze vulnerabilities.
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Examples include:
- Missing operating system and application patches
- Inappropriately installed or active applications and services
- Software flaws and exploits
- Misconfigurations in systems
In addition to vulnerabilities, it’s also important to understand cybersecurity risks. These risks represent the likelihood that an attacker could use a vulnerability to attack your networks or data, and the impact this would have on your technology and business.
Cybersecurity threats can take many forms. These include a malicious actor delivering a phishing campaign to your employees, a state-sponsored attacker targeting vulnerabilities on a server to steal confidential information, or a hacktivist disrupting electronic services in support of political causes. There are also threats of nature such as hurricanes, floods, and tornadoes that can disrupt your network infrastructure.
Goals of Vulnerability Assessment
As a vulnerability assessment analyst, you manage the process of assessing and remediating threats and vulnerabilities to your organization’s systems in order to minimize cyber risks. You do your homework on your systems and their associated technologies, and help the organization identify its vulnerability footprint: the technologies that might expose vulnerabilities. You then work with application, system, and business owners to verify vulnerability remediation is performed properly.
As a vulnerability assessment analyst, you work collaboratively with those accountable for mitigating vulnerabilities in a timely manner. You verify your vulnerability management program is documented with proper policies, standards, and procedures. You also identify vulnerabilities in your environment with automated and manual techniques, while collaborating with your organization's penetration testing team for more detailed detection.
You advocate for proper funding of your vulnerability management program, and check that system owners, business and technology leaders, and executive leadership have visibility into the pervasiveness and severity of your organization’s vulnerabilities across your entire technology ecosystem.
Steps to Vulnerability Assessment
Although each organization runs their vulnerability assessment program slightly differently, there are standardized procedures you should follow in general. Let’s take a closer look.
The names of these steps can vary. In some cases, they may be listed as Discover, Assess, Report, and Remediate.
Step |
What You Do |
|---|---|
Planning |
Document vulnerability management policies and procedures, decide what methods of scanning and testing to use, identify the assets in scope, verify you know your vulnerability footprint, and think about how to integrate your vulnerability data into a reporting system. |
Scanning |
Configure your scans and scan in-scope assets for known and common vulnerabilities and exposures. |
Analysis |
Take into account your organization’s risk management posture and prioritize security flaws for actionable remediation. Identify and validate through repeat scanning any false-positives. |
Remediation |
Prioritize vulnerabilities for remediation based on your organization's vulnerability management policy, and work with remediation owners to fix and track vulnerabilities while documenting exceptions. |
The Importance of Vulnerability Assessment
To better understand the importance of vulnerability assessment and analysis, let’s follow along with Jass, a vulnerability assessment analyst at a software company. Jass plays a critical role in early and consistent identification of threats and weaknesses, which is key in IT security.
One of Jass’s responsibilities is to understand the vulnerability footprint at her organization. Through her conversations with different business analysts, she discovers that some of the software development teams use a software tool that is not officially supported by the company. Jass realizes this means that the organization's vulnerability footprint is larger than she originally thought, and she makes the security team aware of this software tool so that they can assess any related vulnerabilities.
As a vulnerability assessment analyst, it’s also Jass’s responsibility to manage vulnerability remediation efforts for her organization’s applications and systems. She works with remediation owners across the organization to track fixes. Doing so helps her address cybersecurity compliance with both internal vulnerability management policies and with relevant industry standards like the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). It also helps protect her organization against data breaches and other unauthorized access.
Jass knows that vulnerability management is a continuous cycle. It involves multiple stages and spans the entire organization’s technology footprint. Often these stages overlap or run in parallel.
Types of Cybersecurity Assessment and Testing
Vulnerability assessment is just one type of cybersecurity assessment that your organization may use to secure your systems. As a vulnerability assessment analyst, it's key to understand the scope of the type of assessment that you perform. This training is focused on vulnerability assessment but contains aspects of other types of testing. Let's take a closer look.
Vulnerability Assessment
This is nonintrusive testing that focuses on analyzing an information system or product to determine the adequacy of security and privacy measures, identify security and privacy deficiencies, provide data from which to predict the effectiveness of proposed security and privacy measures, and confirm the adequacy of such measures after implementation.
Security Testing and Evaluation (ST&E)
This is a nonintrusive, formalized set of tests that evaluate a system’s security requirements to see if they have been implemented as designed and whether any of the system functionality can be used as unintended to compromise information. To learn more, check out the Security and Testing Evaluation module.
Penetration Testing
This is an intrusive or nonintrusive assessment that gauges what an attacker can access. Organizations use it to understand weaknesses in certain technologies. The penetration test can harm a system if not conducted properly or if testing parameters go outside of what has been agreed upon by all parties. Because penetration testing can harm a system, it is recommended for your legal department to sign rules of engagement before you perform the test.
Compliance Testing
This is an evaluation of a system’s compliance to regulatory standards. It is often less hands-on and usually takes the form of documentation reviews with interviews or questionnaires. To learn more, check out the Cybersecurity Compliance Analysis module.
Sum It Up
Now you understand more about vulnerability assessment and analysis. In the next unit, you learn more about the duties and qualifications of a vulnerability assessment analyst, and discover the skills that help vulnerability assessment analysts succeed.
Resources
-
External Site: World Economic Forum (WEF): Cyber-Risk Assessments
-
External Site: Fortinet: Vulnerability Assessment
-
Trailhead: Cybersecurity Compliance Analysis
-
Trailhead: Security Testing and Evaluation
