Vulnerability assessment is the process of identifying, classifying, and prioritizing security vulnerabilities in IT infrastructure. A comprehensive vulnerability assessment evaluates whether an IT system is exposed to known vulnerabilities, assigns severity levels to identified vulnerabilities, and recommends remediation or mitigation steps where required.
Vulnerability assessments are a common security procedure as they provide a detailed view of the security risks an organization may face, enabling them to better protect their information technology and sensitive data from cyber threats.
Why is vulnerability assessment important?
Vulnerability assessment is important because it provides you with information about the security weaknesses in your environment and provides direction on how to remediate or mitigate the issues before they can be exploited.
This process provides you with a better understanding of your IT infrastructure, security flaws and overall risk, which greatly improves information security and application security standards while reducing the likelihood that a cybercriminal will gain unauthorized access to your organization.
What are the different types of vulnerability assessment?
There are several types of vulnerability assessment:
- Network-based assessment: Used to identify possible network security issues and can detect vulnerable systems on wired and wireless networks.
- Host-based assessment: Used to locate and identify vulnerabilities in servers, workstations, and other network hosts. This scan typically examines open ports and services and can offer visibility into the configuration settings and patch management of scanned systems.
- Wireless network assessment: Used to scan Wi-Fi networks and attack vectors in the wireless network infrastructure. It can validate your company's network is securely configured to prevent unauthorized access and can also identify rogue access points.
- Application assessment: The identification of security vulnerabilities in web applications and their source code by using automated vulnerability scanning tools on the front-end or static/dynamic analysis of source code.
- Database assessment: The assessment of databases or big data systems for vulnerabilities and misconfiguration, identifying rogue databases or insecure dev/test environments, and classifying sensitive data to improve data security.
What is the security vulnerability assessment process?
The security vulnerability process consists of five steps:
- Vulnerability identification: Analyzing network scans, pen test results, firewall logs, and vulnerability scan results to find anomalies that suggest a cyber attack could take advantage of a vulnerability.
- Vulnerability analysis: Decide whether the identified vulnerability could be exploited and classify the severity of the exploit to understand the level of security risk.
- Risk assessment: Assess which vulnerabilities will be mitigated or remediated first based on their wormability and other risks.
- Remediation: Update affected software or hardware where possible.
- Mitigation: Decide on countermeasures and how to measure their effectiveness in the event that a patch is not available.
The vulnerability assessment process is a critical component of vulnerability management and IT risk management lifecycles and must be done on a regular basis to be effective.
For more information, see our guide on vulnerability management.
1. Vulnerability identification
Vulnerability identification is the process of discovering and making a complete list of vulnerabilities in your IT infrastructure.
This is generally achieved through a combination of automated vulnerability scanning and manual penetration testing.
A vulnerability scanner can assess computers, networks or web applications for known vulnerabilities like those listed on the Common Vulnerabilities and Exposures (CVE).
Vulnerability testing can be run via authenticated or unauthenticated scans:
- Authenticated scans: Allow vulnerability scanners access networked resources using remote administrative protocols and authenticate using provided system credentials. The benefit of authenticated scans is that they provide access to low-level data such as specific services, configuration details and accurate information about operating systems, installed software, configuration issues, access control, security controls and patch management.
- Unauthenticated scans: Don't provide access to networked resources, which can result in false positives and unreliable information about operating systems and installed software. This type of scan is generally used by cyber attackers and IT security analysts to try and determine the security posture of externally facing assets, third-party vendors and to find possible data leaks.
Like any security testing, vulnerability scanning isn't perfect which is why other techniques like penetration testing are used. Penetration testing is the practice of testing an information technology asset to find exploitable vulnerabilities and can be automated with software or performed manually.
Whether run automatically or performed manually by a security team, pen testing can find security flaws and possible attack vectors that are missed by vulnerability scanning tools. It can also be used to test on-premise security controls, adherence to information security policies, employees susceptibility to social engineering attacks like phishing or spear phishing, as well as to test incident response plans.
2. Vulnerability analysis
After vulnerabilities are identified, you need to identify which components are responsible for each vulnerability, and the root cause of the security weaknesses. For example, the root cause of the vulnerability could be an outdated version of an open-source library.
In this situation, there is a clear path to remediation, upgrading the library. However, there isn't always a simple solution, which is why organizations often need to run each vulnerability through a security assessment process that classifies the severity of the vulnerability, identifies possible solutions, and decides whether to accept, remediate or mitigate the identified risk based on the organization's risk management strategy.
3. Risk assessment
The objective of this step is to prioritize vulnerabilities. This often involves using a vulnerability assessment tool that assigns a rank or severity to each vulnerability.
For example, UpGuard BreachSight, an attack surface management tool, uses the Common Vulnerability Scoring System (CVSS) scores to assign a numerical score from 0 to 10 based on the principal characteristics and severity of the vulnerability.
With that said, any good vulnerability assessment report will take in additional factors such as:
- What system is affected
- What sensitive data is stored on the system, e.g. personally identifiable information (PII) or protected health information (PHI)
- What business functions rely on the system
- The ease of attack or compromise
- The business impact of a successful exploit
- Whether the vulnerability is accessible from the Internet or requires physical access
- How old the vulnerability is
- Any regulatory requirement your organization has, e.g. CCPA, FISMA, GLBA, PIPEDA, LGPD, 23 NYCRR 500, FIPA, PCI DSS, HIPAA, or the SHIELD Act
- The cost of a data breach in your industry
Remediation involves fixing any security issues that were deemed unacceptable in the risk assessment process. This is typically a joint effort between development, operations, compliance, risk management, and security teams, who decide on a cost-effective path to remediate each vulnerability.
Many vulnerability management systems will provide recommended remediation techniques for common vulnerabilities, which can be as simple as installing readily-available security patches or as complex as replacing hardware.
Specific remediation steps will vary on the vulnerability but often include:
- Updating operational procedures
- Developing a robust configuration management process
- Patching software
Not every vulnerability can be remediated, which is where mitigation comes in. Mitigation is focused on reducing the likelihood that a vulnerability can be exploited or reducing the impact of the exploit.
Specific mitigation steps will vary greatly, depending on your risk tolerance and budget but often include:
- Introducing new security controls
- Replacing hardware or software
- Vendor risk management
- Attack surface management
- Continuous security monitoring
What potential threats can be prevented by vulnerability assessment?
Examples of cyber attacks that can be prevented by vulnerability assessment include:
- Privilege escalation attacks: Privilege escalation is the exploitation of a programming error, vulnerability, design flaw, configuration oversight or access control in an operating system or application to gain unauthorized access to resources that are usually restricted from the application or user. Read more about privilege escalation here.
- SQL injections: SQL injection attacks happen when invalidated or untrusted data is sent to a code interpreter through form input or another data submission field in a web application. Successful injection attacks can result in data leaks, data corruption, data breaches, loss of accountability, and denial of access.
- XSS attacks: Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users and may be used to bypass access control, such as the same-origin policy. The impact of XSS can range from a small nuisance to significant cybersecurity risk, depending on the sensitivity of data handled by the vulnerable website, and the nature of any mitigations implemented. Read more about cross-site scripting here.
- Insecure defaults: It's common for software and hardware to ship with insecure settings, such as easily guessable passwords, to make onboarding easier. While this is good from a usability perspective, many people leave these default configurations intact which can leave them exposed.
What are the different types of vulnerability assessment tools?
Vulnerability assessment tools are designed to automatically scan for new and existing threats in your IT infrastructure. Types of tools include:
- Web application scanners that map out the attack surface and simulate know attack vectors
- Protocol scanners that search for vulnerable protocols, ports, and other services
- Network scanners that help visualize networks and discover network vulnerabilities like stray IP addresses, spoofed packets, and suspicious packet generation
It's best practice to schedule regular, automated scans of all infrastructure and use the results as part of your ongoing vulnerability assessment process.
UpGuard BreachSight will automatically scan your attack surface daily for vulnerabilities.
What's the difference between vulnerability assessment and penetration testing?
As noted above, a vulnerability assessment often includes penetration testing to identify vulnerabilities that might not be detected by automated scanning. This process is commonly referred to as vulnerability assessment/penetration testing (VAPT).
With that said, penetration testing alone isn't sufficient as a complete vulnerability assessment. Vulnerability assessment aims to uncover vulnerabilities and recommend the appropriate mitigation or remediation steps to reduce or remove the identified risk.
In contrast, penetration testing involves identifying vulnerabilities and attempting to exploit them to attack a system, cause a data breach, or expose sensitive data. While this can be carried out as part of a vulnerability assessment, the primary aim of penetration testing is to check whether a vulnerability exists that is exploitable.
How UpGuard can help with vulnerability assessment
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security operations.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
The Vulnerabilities module of UpGuard BreachSight lists published vulnerabilities that may be exploitable in the software that is running on your IT infrastructure. These vulnerabilities are automatically identified through information exposed in HTTP headers and website content.
Each identified vulnerability is given a CVSS, a published standard developed to capture the principal characteristics of a vulnerability, that produces a numerical score between 0 and 10 reflecting its severity.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.