What is a vulnerability assessment?

A vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures.Vulnerability assessments provide organizations with the necessary knowledge, awareness and risk backgrounds to understand and react to threats to their environment.A vulnerability assessment intends to identify threats and the risks they pose. It typically involves using automated testing tools, such as network security scanners, whose results are listed in a vulnerability assessment report.

Organizations of any size, or even individuals who face an increased risk of cyberattacks, can benefit from some form of vulnerability assessment, but large enterprises and organizations subject to ongoing attacks will benefit most from vulnerability analysis.

Because security vulnerabilities enable hackers to access IT systems and applications, it is essential for enterprises to identify and remediate weaknesses before they can be exploited. A comprehensive vulnerability assessment, along with a vulnerability management program, can help companies improve the security of their systems.

A vulnerability can be defined in two ways:

1. A bug in code or a flaw in software design that can be exploited to cause harm. Exploitation may occur via an authenticated or unauthenticated attacker.
2. A gap in security procedures or a weakness in internal controls that when exploited results in a security breach.

The Importance of vulnerability assessments

The most common security vulnerabilities are rooted either in technology issues or user behaviour:

• Breaches can occur if insiders accidentally expose information to an external source or leak information intentionally (i.e., malicious insiders).
• Lost and stolen devices that contain unencrypted data are also a major vector for infiltration into a company’s network.
• Cybercriminals can install malware on target systems to exfiltrate data or gain control over computing systems.

Vulnerability management helps companies prevent data breaches and leaks, but it requires continuous vigilance. The process is ongoing and involves conducting periodic vulnerability assessments – when one assessment completes, another must begin.

Vulnerability assessments allow security teams to identify, analyze, categorize, report, and remediate security vulnerabilities in operating systems, business applications, endpoint devices, and browsers.

Organizations discover thousands of new vulnerabilities each year, requiring constant patching and reconfiguration to protect their networks, applications, and operating systems. However, many companies lack an effective patch management strategy and don’t apply the necessary patches in time to prevent a breach.

It is impractical to patch all vulnerabilities immediately. A vulnerability management system helps prioritize vulnerabilities and ensure the security team addresses high-risk vulnerabilities first.  Vulnerability management encompasses the tooling and processes needed to find and remediate the most critical vulnerabilities regularly.

How Vulnerability Assessments Relate to IT Risk and Vulnerability Management

A vulnerability assessment explores a wide range of potential issues across multiple networks, systems, and other parts of your IT ecosystem, on-prem and cloud. It identifies weaknesses that need correction, including misconfigurations and policy non-compliance vulnerabilities that patching and maintenance alone may not address.

Most vulnerability assessments assign a risk to each threat. These risks can have a priority, urgency, and impact assigned to them, which makes it easier to focus on those that could create the most issues for an organization. This is an important part of vulnerability management, as your IT security team will have limited time and resources, and must concentrate on the areas that could cause the most damage to your business.

The information provided by a vulnerability assessment helps IT teams, as well as automated third-party tools (i.e. patch management), to prioritize vulnerabilities and chart the path for action, which often means remediation. However, sometimes organization choose to accept the continuance of the risk. For instance, if the uncovered vulnerability is of low potential impact and of low likelihood, but on the other hand, fixing it would require downtime or potential breaking of other systems, IT may determine the vulnerability risk is less than the risk posed to ongoing IT operations. This is how vulnerability assessments fall into an overarching IT risk management framework.

How does a vulnerability assessment work?

There are three primary objectives of a vulnerability assessment.

1. Identify vulnerabilities ranging from critical design flaws to simple misconfigurations.
2. Document the vulnerabilities so that developers can easily identify and reproduce the findings.
3. Create guidance to assist developers with remediating the identified vulnerabilities.

Vulnerability testing can take various forms. One method is Dynamic Application Security Testing (DAST). A dynamic analysis testing technique that involves executing an application (most commonly a Web application), DAST is performed specifically to identify security defects by providing inputs or other failure conditions to find defects in real time. Conversely, Static Application Security Testing (SAST) is the analysis of an application’s source code or object code in order to identify vulnerabilities without running the program.

The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS) and SQL injection earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while Web applications are running.

Another method of vulnerability assessment in and of itself, penetration testing entails goal-oriented security testing. Emphasizing an adversarial approach (simulating an attacker’s methods), penetration testing pursues one or more specific objectives (e.g., capture the flag).

Vulnerability Assessment Types

Several types of vulnerability assessments can be conducted, including:

1. Network-Based Vulnerability Assessment

A network-based vulnerability assessment identifies vulnerabilities in network devices such as routers, switches, firewalls, and other network infrastructure components. The primary goal of a network-based vulnerability assessment is to identify weaknesses in the network that attackers could exploit to gain unauthorized access, steal data, or launch attacks.

Network-based vulnerability assessments typically involve specialized software tools and techniques that scan the network for vulnerabilities. These tools may use various methods to identify vulnerabilities, such as port scanning, vulnerability scanning, password cracking, and network mapping.

2. Application-Based Vulnerability Assessment

An application vulnerability assessment is a process of reviewing security weaknesses in software applications(Layer 7) including websites, mobile apps and APIs. It examines if the apps are susceptible to known vulnerabilities and assigns severity/criticality levels to those vulnerabilities, recommending remediation or mitigation if and whenever needed.

These assessments typically involve testing the application for common vulnerabilities, such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. Application vulnerability assessments can be performed using both automated and manual methods.

OWASP consistently compiles a list of the most critical application vulnerabilities, updated periodically. In its latest OWASP Top 10 risks 2021 ranking, the following vulnerabilities demand attention:

• A01:2021-Broken Access Control
• A02:2021-Cryptographic Failures
• A03:2021-Injection
• A04:2021-Insecure Design
• A05:2021-Security Misconfiguration
• A06:2021-Vulnerable and Outdated Components
• A07:2021-Identification and Authentication Failures
• A08:2021-Software and Data Integrity Failures
• A09:2021-Security Logging and Monitoring Failures
• A10:2021-Server-Side Request Forgery

3. API-Based Vulnerability Assessment

API vulnerability assessment is conducted to identify and mitigate potential security risks in APIs. This process identifies vulnerabilities and weaknesses in the API’s design, implementation, and deployment. The goal is to ensure that the API is secure, reliable, and resilient to attacks.

The following OWASP API Top 10 vulnerabilities require specific attention in vulnerability assessment process to ensure the security and integrity of API interactions:

• API1:2023 Broken Object Level Authorization
• API2:2023 Broken Authentication
• API3:2023 Broken Object Property Level Authorization
• API4:2023 Unrestricted Resource Consumption
• API5:2023 Broken Function Level Authorization (BFLA)
• API6:2023 Unrestricted Access to Sensitive Business Flows
• API7:2023 Server-Side Request Forgery (SSRF)
• API8:2023 Security Misconfiguration
• API9:2023 Improper Inventory Management
• API10:2023 Unsafe Consumption of APIs

4. Host-Based Vulnerability Assessment

A host-based vulnerability assessment identifies vulnerabilities in individual host systems, including servers, workstations, and laptops.

These assessments typically involve scanning the host system for known vulnerabilities, such as missing security patches or outdated software. Host-based vulnerability assessments can be performed using both automated and manual methods.

5. Wireless Network Vulnerability Assessment

A wireless network vulnerability assessment focuses on identifying vulnerabilities in wireless networks, including Wi-Fi networks. These assessments typically involve testing the wireless network for common vulnerabilities, such as weak encryption, default passwords, and rogue access points.

Wireless network vulnerability assessments can be performed using specialized software tools and techniques.

6. Physical Vulnerability Assessment

A physical vulnerability assessment identifies vulnerabilities in physical security measures, such as locks, surveillance cameras, and access control systems. These assessments typically involve physical inspections of the facility and its security measures.

7. Social Engineering Vulnerability Assessment

A social engineering vulnerability assessment identifies vulnerabilities in human behaviour, such as phishing attacks and other social engineering techniques.

This vulnerability assessment type typically involves simulated attacks against employees to test their awareness of security threats and their ability to identify and respond to them.

8. Cloud-Based Vulnerability Assessment

A cloud-based vulnerability assessment identifies vulnerabilities in cloud infrastructure and services, such as Amazon Web Services (AWS) and Microsoft Azure. 

What Types of Threats Does Vulnerability Assessment Find?

Here are some of the most common types of threats that can be prevented through vulnerability assessment methods:

1. Malware Infections

Malware infections are among the most common cyber threats, which can devastate organizations. Malware is typically delivered through attack vectors such as phishing emails, malicious websites, and software vulnerabilities. 

2. Denial of Service (DoS) Attacks

DoS attacks are a type of cyberattack that aims to overwhelm a targeted system or network with traffic or other resources, causing it to crash or become unavailable to legitimate users. Vulnerability assessment can identify vulnerabilities in the network or systems that attackers could exploit to launch DoS attacks. 

3. Data Breaches

Data breaches occur when attackers gain unauthorized access to sensitive data, such as personal information, financial data, or intellectual property. 

4. Insider Threats

Insider threats are threats that originate from within an organization. These threats could come from current or former employees, contractors, or business partners who can access an organization’s IT resources. 

Vulnerability assessment can identify vulnerabilities in applications, systems, and network devices that insiders could exploit to steal data or cause damage to an organization’s IT infrastructure. 

5. Phishing Attacks

Phishing attacks are a cyberattack that uses social engineering techniques to trick users into sharing sensitive information, such as login credentials or financial data. 

6. Web Application Attacks

Web application attacks are a cyberattack that targets web application vulnerabilities, such as SQL injection or cross-site scripting (XSS) attacks. Application vulnerability assessment can identify vulnerabilities in web applications and help organizations prioritize patching these vulnerabilities. 

Types of Vulnerability Assessment Tools

Modern vulnerability assessments rely on automated scanning tools. Here are the main categories of tools used to scan an environment for vulnerabilities:

• Network-based scanning—used to identify potential network security attacks. This type of scan can also detect vulnerable systems on wired or wireless networks.
• Host-based scanning—used to identify vulnerabilities on servers, workstations, or other network hosts. This type of scan looks for vulnerable open ports and services, providing insights about the configuration settings and patch history of scanned systems.
• Wireless network scans—used to scan an organization’s Wi-Fi network to identify security weaknesses. These scans can identify malicious access points and ensure that wireless networks are configured securely.
• Application scans—used to test websites and mobile applications for known software vulnerabilities and misconfigurations.
• Database scans—used to identify vulnerabilities that might allow database-specific attacks like SQL and NoSQL injection, as well as general vulnerabilities and misconfigurations in a database server.

5-Step Vulnerability Assessment Process

1. Initial Preparation

In this stage, the team decides the scope and goals of vulnerability testing. This involves:

• Identifying protected assets and equipment and mapping out all endpoints.
• Determining the business value of each asset and the impact if it is attacked.
• Identifying access controls and other security requirements of each system.
• Determining if systems hold sensitive data, and how sensitive data is transferred between systems.
• Recording a baseline of services, processes, and open ports on protected assets.
• Determining operating systems and software deployed on assets.

This information can help security teams understand the attack surfaces and the most severe threat scenarios, and develop a remediation strategy.

2. Vulnerability Assessment Testing

In this stage, the team runs automated vulnerability scans on target devices and environments. If necessary, they use manual tools to investigate the security posture of a system.

In order to automate this stage and make it more efficient, teams will typically rely on one or more vulnerability databases, vendor security advisories, and threat Intelligence feeds.

A single test can take anywhere from a minute to several hours, depending on the size of the target system and the type of scan.

3.Prioritize Vulnerabilities

At this stage, the team removes false positives from vulnerability scanning results and prioritize vulnerabilities according to several factors. These can include:

• Severity score provided by a vulnerability database
• The business impact if a vulnerability is exploited
• Sensitive data that might be at risk
• The ease of exploiting the vulnerability
• How long the vulnerability has been in place
• The ability to perform lateral movement from this system to other sensitive systems
• The availability of a patch and the effort needed to deploy it

4.Create a Vulnerability Assessment Report

At this stage, the team creates a unified report showing vulnerabilities found in all protected assets, with a plan for remediating them.

For medium to high risk vulnerabilities, the report should provide information about the vulnerability, when it was discovered, which systems it affects, the potential damage if attackers exploit it, and the plan and effort required to remediate it.

Where possible, the team should also provide a proof of concept (PoC) demonstrating how each critical vulnerability could be exploited.

5. Continuous Vulnerability Assessment

Vulnerability scans provide a point-in-time snapshot of vulnerabilities that exist in an organization’s digital infrastructure. However, new deployments, configuration changes, newly discovered vulnerabilities, and other factors can result in new vulnerabilities. Because vulnerabilities are not static, vulnerability management should also be a continuous process.

Software development teams should incorporate automated vulnerability assessment into their continuous integration and deployment (CI/CD) pipeline. This allows vulnerabilities to be identified and fixed as early as possible in the software development lifecycle (SDLC), eliminating the need to develop and release patches for vulnerable code.

However, because this process cannot catch all vulnerabilities, and many vulnerabilities occur in legacy or third-party systems, it must be complemented by continuous vulnerability scans of production systems.

Conclusion

In this article, we explained the basics of vulnerability assessment, covered the main tools that can be used to identify vulnerabilities, including network scanning, host scanning, and application scanning, and presented a 5-step process for managing vulnerability assessments in your organization: