A Vulnerability Assessment can be defined as the process of
identifying, quantifying, and prioritizing
(or ranking) the vulnerabilities in an IT system. Before we take a look at a modern and complete approach organizations should adopt for assessments, let’s define some key terms:
- Vulnerability - A flaw or weakness in system security procedures, design, implementation, or internal controls
- Threat - The potential for a specific vulnerability to be exercised either intentionally or accidentally
- Control - Measures taken to prevent, detect, minimize, or eliminate risk to protect the integrity, confidentiality, and availability of information
- IP Address - A numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication
For years, the traditional Vulnerability Assessment model consisted of the following:
- Defining Scope – What IPs (internal/external) are to be scanned
- Data Collection – Scan these IPs
- Vulnerability Analysis
- Remediation Recommendations
Vulnerability Assessments can prove extremely valuable to an organization; non-intrusive scans can uncover valuable information regarding the current infrastructure. They have traditionally been conducted as part of an organization’s compliance maintenance such as PCI/HIPAA requirements. The issue with this approach is that many organizations are not required to adhere to these standards. With growing cyber security threats, all organizations should adopt Vulnerability Assessments as an active part of their organization’s risk management framework. This allows the organization to look beyond their IT infrastructure when conducting these assessments and take into account areas such as policy, procedures, and platform configuration review.
As news headlines consistently show, social engineering is a significant method of attack utilized by malicious outsiders. End users are the highest vulnerability in any organization and they should be incorporated into this assessment when possible with phishing/vishing simulation.
Another important factor in conducting a proper Vulnerability Assessment is ensuring the assessor truly understands the business overall. This can be a major factor in evaluating the risk, determining recommendations, and generating an actionable report that helps guide the organization further.
Far too often, companies believe that they’re immune to hacks, scams, and other IT data breaches. However, as the news headlines show us on an almost daily basis, it’s a matter of when your company will be attacked, not if. Therefore, it’s smart business to conduct a Vulnerability Assessment now, and to make it part of your ongoing risk management program.
To discuss this topic, contact Sassan Hejazi at Email or 215.441.4600.
You may also like: