Vulnerability assessment best practices for enterprises
Measure Twice, Cut Once
False Positives
A false positive is an alert for a problem that does not actually exist. Handling false positives is yet another important step in a VA. No VA software or scanner can completely eliminate false positives, and your team should be prepared to deal with these events when they are identified.
Vulnerability scanners will use several methods to determine whether a system is susceptible to a known weakness. The assessment team at times during the VA will have to do on-the-ground detective work to determine whether the found vulnerability is real or a false positive. The improper diagnosis of a false positive could skew your report results and degrade your credibility with the organization that entrusted you to conduct the VA.
Reporting the Results
Generating reports against your collected assessment data is critical to the VA program. Providing the right data to the right people is the key to a successful effort.
Some of the important details that should be contained within the assessment reports you generate include:
- Definition of VA and the goals for utilizing the applied technology.
- The specified time frame of the VA.
- The top 10 vulnerabilities found during the VA and an explanation of the found vulnerabilities.
- Categorization of the data in the report (i.e., host, vulnerability, OS, asset, service, network mapping, port able to be accessed).
- Detailed information pertaining to the identified vulnerabilities. (This will help the team that will be responsible for patching the system.)
- Report displayed by severity (each system affected by the vulnerability).
- Report displayed by system (each vulnerability on the device listed).
- Areas of the infrastructure that were part of the assessment (scope) and what was left out.
- An explanation of how the VA scanning appliances operated.
- An explanation of how the generated reports can be used to show details about the vulnerabilities and where the patches can be found.
Handling Scan Results
Leaks of the scanning results, which contain system vulnerability information, could facilitate attackers in exploiting the loopholes identified. Therefore, it is important to safeguard this information by keeping it in a safe place or keeping it encrypted to prevent unauthorized access. If an external party is employed for the assessment process, the organization should ensure that any party involved is trustworthy and that both findings and proprietary information will be kept secure.
Irrelevant data, giant reports, and reports filled with false positives are the easiest ways to get people to take your vulnerability reporting less seriously and can jeopardize the credibility of your VA. The goal is to create high-quality, relevant, and filtered reports for the teams that will be conducting the remediation. Your VA will give the remediation team a path forward.
After a VA, the assessed organization should institute (if not already in place) an organization-wide Cyber Security Awareness Training Program. The awareness training should include details about the completed VA. The level of detail provided during training regarding the completed VA might have to be scaled according to the audience. The possibility of an insider threat could reduce the amount of detail the senior management in the organization may be willing to provide.
The awareness training should include, but is not limited to, depending on the scope of the VA and the requested support after a VA has taken place, several of the list items that appear under the "Reporting the Results" section, plus a couple of other items:
- A definition of VA and the goals for the technology used.
- An explanation of how the VA scanning appliances operated.
- The areas of infrastructure that were part of the assessment (scope) and that were left out.
- How the generated reports can be used to show details about the vulnerabilities and where the patches can be found.
- How the additional technology used during assessment can be used to benefit the various departments in the future.
- Details about the severity levels of a threat to an organization and at what level the organization deems something mission critical.
Buy this article as PDF
(incl. VAT)