Skip to main content

Know Your Vulnerability Footprint

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe how to gather information on targeted systems for vulnerability assessments.
  • Explain how vulnerability assessment analysts identify risks and threats from an attacker’s perspective.
  • Define key vulnerability management terms.

Gather Information on Systems

Have you ever wondered why some organizations appear to be so much more secure than others? To help you answer this question we are going to examine the growing importance of vulnerability assessments in a robust cybersecurity program. This will help you understand the first phase of vulnerability assessment, which is to know your vulnerability footprint. 

A vulnerability footprint is a compilation of all the technologies that might expose vulnerabilities. The goal of knowing your vulnerability footprint is to have complete visibility of your technology environment, which allows you to discover hidden risks and threats that seek to exploit unnoticed gaps and weak dependencies between systems and with third parties.

It also helps you gain an attacker’s-eye view of your external-facing infrastructure so that you can proactively mitigate threats. Threats are any circumstance or event with the potential to cause harm to an information system in the form of destruction, adverse modification of data, or denial of service. They take the form of someone that can intentionally or accidentally exploit a vulnerability. 

Footprints winding their way through computer assets.

To understand your vulnerability landscape, you first identify and understand your organization’s business processes, and you focus on those that are critical and sensitive in terms of compliance, customer privacy, and competitive position. This requires you to collaborate with IT representatives of the business units, the finance department, legal counsel, and other parts of your organization. Once you identify and rank business processes in terms of mission criticality and sensitivity, the next step is to identify the applications and data on which those mission-critical processes depend. These include organization-owned assets, dependent third-party systems or services, supply chain systems, components, and code.

Since your organization’s technology environment can change rapidly, it is recommended to use automated tools to help you discover assets, their configuration, and any changes that may occur. You use this information to understand and map out your system or application data flows, as well as their underlying hardware, software, and network infrastructures, including the protections around them.

Identify Risks and Threats

In today’s world, cybersecurity is not a problem to solve but a risk to manage. In order to manage cyber risks, once you’ve identified what assets you have, you need to analyze each one for any associated risks, vulnerabilities, and threats. Many cyberattacks take advantage of basic, often ignored security vulnerabilities, such as poor patch management, weak passwords, or lack of end-user education around security policies. Conducting risk identification and analysis allows you to prioritize the vulnerabilities that pose the biggest threats to your organization for proactive mitigation.

Keep in mind that while vulnerabilities are weaknesses in your systems, to be truly dangerous they must be accessible to an attacker, relatively easy to exploit, and have a negative impact on the business. For example, a vulnerability that requires additional components to exploit, like secure access to network services, is less of a potential risk than a vulnerability on a public-facing system that has no access controls in place. 

Knowing what is truly dangerous is important so that you can prioritize what to fix immediately, and what requires more planning for mitigation later. With potentially thousands of vulnerabilities hiding in a large organization's networks, it’s crucial to prioritize fixes based on risks and exposures to the business. 

Some questions to ask when prioritizing vulnerabilities include: 

  • What are the business and technology impacts?
  • What damage could occur if the vulnerability is exploited by an attacker?
  • How likely is it that an attacker will exploit the vulnerability?
  • How common is the finding (is it prevalent throughout your network/system)?
  • Is the vulnerability on a critical asset, and is it internet-facing?
  • How long has your network/system been exposed to the vulnerability (the longer, the higher risk)?
  • Will mitigating the issue have an impact on the immediate business need?
  • Is a mitigation available?

Vulnerability Assessment Terms

Before we move on, let’s explore some common terminology that you should be familiar with as you map your vulnerability footprint.

Common Vulnerabilities and Exposures (CVEs)

CVEs are publicly disclosed vulnerabilities identified in software and firmware. Vulnerability assessors can use scanning tools to detect vulnerabilities on systems.

Due to the pace with which new vulnerabilities are identified, the CVE database is updated regularly. Despite this, however, the speed at which new publicly identified vulnerabilities are identified is outpacing researchers’ ability to spot, tag, and categorize them.

Common Configurations and Enumerations (CCEs)

CCEs uniquely identify system configuration to create configuration guidance statements specifying a preferred or required setting or policy. Using CCEs improves configuration management work processes, allowing you to quickly and accurately correlate configuration data across multiple information sources and tools. Examples include National Institute of Standards and Technology (NIST)’s Security Content Automation Protocol (SCAP), which helps automate vulnerability management.

Security Architecture

Your security architecture provides the infrastructure for protecting your organization and its systems from a cyber attack. It should be adaptable to the evolving cyber threat landscape. Security architecture incorporates secure by design concepts like zero trust. Zero trust is a security architecture in which an organization no longer assumes that their network or systems are free of compromises.

In the past, traditional security architectures relied primarily on network boundary protections like firewalls, and anyone accessing information from inside the network was viewed as a trusted entity with limited controls at other layers of the technology stack to verify system access. This meant that if an attacker could breach the network, they could compromise internal resources with relative ease. 

With the move to zero trust, many organizations now enforce the principle of “verify before trust” to grant access to a system. This means there are additional controls within your internal technology stack to prevent unauthorized access to system resources. As you can see, your security architecture has a big impact on how you implement controls in your environment to mitigate different security vulnerabilities. 

You now have a better understanding of some of the key terms involved in identifying your vulnerability footprint. Next let’s turn to how you perform vulnerability scans of the systems you’ve identified in your technology landscape.

Resources

Keep learning for
free!
Sign up for an account to continue.
Sign Up Login
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities
Skip for now