Photo by Fancycrave on Unsplash

Photo by Fancycrave on Unsplash

Vulnerability assessment best practices for enterprises

Measure Twice, Cut Once

Article from ADMIN 46/2018
By
A vulnerability assessment is an important step toward protecting an organization's critical IT assets.

To understand how you can protect an organization's information technology properly through the use of a vulnerability assessment (VA), it is important to frame how you define a VA. For the context of this discussion, a VA is the process of identifying and quantifying vulnerabilities within a system. It can be used against many different types of systems, such as a home security alarm, a nuclear power plant, a military outpost, and a corporate computer environment. A VA is different from a risk assessment, even though they sometimes share some of the same commonalities.

VAs are concerned with the identification of vulnerabilities, the possibilities of reducing those vulnerabilities, and the improvement of the capacity to manage future incidents. In this article, I focus primarily on VA as it pertains to information technology infrastructures. Many times, an information technology VA can be conducted in conjunction with or overlapping a physical security VA. For the discussion here, I deal with information technology VAs only.

Preparation and Execution

A VA is a critical process that should be followed in any organization as a way to identify, assess, and respond to new vulnerabilities before they can be exploited by an external or internal threat. Generally, the assessing organization will perform a few common steps – outlined here and discussed in this article – when conducting a VA project for another organization:

  1. Obtain written approval from the organization for which you are conducting the VA.
  2. Find and document which information systems within the organization will be part of the VA and, just as importantly, which information systems will not be included.
  3. Define what tools, processes, and steps will take place before, during, and after the VA is conducted.
  4. Determine when the VA will occur (accurate date and time).
  5. Conduct the VA.
  6. Compile reports based on your findings from the VA.
  7. Brief the organization in person and in writing of your findings from the VA.
  8. If requested by the organization, put a plan in place to remediate the vulnerabilities found.

To understand how to frame a successful VA, a brief discussion of assets, threats, and vulnerability is useful.

Assets

An asset in the general sense is an organization's property or information that is of significant value (i.e., a critical asset). In risk management, an asset refers to the amount of damage losing an asset will cause if something bad occurs. Given that most enterprise networks have hundreds or thousands of networked information systems, vulnerability analysis and assessment by manual methods are virtually impossible. Additionally, it is impossible to ensure completely that all assets are secure. Therefore, it is imperative that information security managers and system owners focus on identifying only their critical assets – that is, those assets without which the organization's key missions would be significantly degraded or cease to function. This is a key part of the risk assessment process.

Threats

Risks to critical assets can come from a variety of threats that can be considered possible hazards and usually fall into three categories: man-made (intentional), natural disaster, and accidental (unintentional) disruptions. Therefore, an effective approach to threats will consider the full spectrum of threats and hazards, including natural disasters (e.g., floods, fires, hurricanes), domestic or international criminal activity, construction mishaps (e.g., cut fiber optic lines), and other types of incidents.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tested – Tenable Nessus v6
    To ensure your servers and workstations are well protected against attacks on your network, you need a professional security scanner. In version 6, Tenable has substantially expanded its Nessus vulnerability scanner. We pointed the software at a number of test computers.
  • Open Source Security Information and Event Management system
    Systems, network, and security professionals face a big problem managing disparate security data from a variety of sources. OSSIM gives IT security professionals the capacity to cut through the noise and gain wisdom and foresight in defending and managing their networks.
  • Security issues when dealing with Docker images
    Although developers appreciate Docker's ease of use and flexibility, many admins are worried about vulnerabilities. We look at various approaches to securing container images and the price to be paid.
  • Managing Port Scan Results with Dr. Portscan

    Regularly scanning the ports on your own network prevents intruders from sneaking in, but if you have dozens or hundreds of servers, you’ll need professional help: Dr. Portscan to the rescue.

  • BackTrack Linux: The Ultimate Hacker's Arsenal

    Penetration Testing and security auditing are now part of every system administrator's "other duties as assigned." BackTrack Linux is a custom distribution designed for security testing for all skill levels from novice to expert.

comments powered by Disqus