pixel_dreams - Fotolia

Vulnerability assessment done. Now what?

Vulnerability assessment establishes the current state of an organisation’s cyber security, but to meet industry best practices, companies should go beyond that to achieve continuous improvement

For modern companies, a small website outage or data breach can spell huge disaster to the organisation’s profits and reputation. This is what makes the job of information technology security officers such a challenge – they are responsible for protecting all digital systems from external attacks, even though they can’t predict how, when or where they will occur.

That makes cyber security, as a practice, essentially impossible to perfect. Companies must accept the fact that vulnerabilities exist in their current infrastructure and software and are likely to continue to appear as they expand. But that doesn’t mean you can take a hands-off approach. The opposite is the case, because IT security officers must be as proactive as possible in locating and patching found vulnerabilities.

It is imperative for IT departments to become familiar with an activity known as a vulnerability assessment (VA), which helps to assess the current state of your organisation’s cyber security efforts. But to meet industry best practices, you should go beyond a simple VA and turn that activity into a continuous improvement strategy.

What is a vulnerability assessment?

Every organisation that has an online presence must treat all cyber security threats with utmost seriousness, regardless of their size or type of industry. Digital systems typically house the data that is most critical to business operations. Failing to protect them is a disaster waiting to happen.

The responsibility for running a VA should fall under the domain of the local IT security group. In some cases, if in-house resources are limited, a company may choose to outsource the activity to a third party that has expertise in risk management.

A complete VA will typically focus on three layers of technology – network, applications and databases. During the network phase, scanning tools are run across all Ethernet and wireless equipment to check how ports and services are configured. These scans can identify any security holes within a network that could allow an intruder to access internal resources.

For the applications part of a VA, security experts will carry out what is known as penetration testing. This involves simulating the actions of hackers by attempting to execute common attacks through web or native applications. The VA final report will indicate which parts of the applications are most likely to be targeted.

Lastly, a comprehensive VA must look at the database layer to understand the risks of a full-scale data breach, where an intruder is able to steal information directly from a back-end system. This assessment will check all access privileges as well as configuration settings made at the server level.

What is a vulnerability management programme?

After a VA has been completed, the IT security team delivers a final report to all major stakeholders in the organisation. This is an important start to meeting best practices of cyber security, but alone, it does not guarantee protection.

Proactive measures are the key to strong IT security and that is where the concept of a vulnerability management programme (VMP) comes into play. A VMP treats the assessment as an input to a continuous approach to cyber security and system reliability. This is critical because as technology continues to change and evolve, so must the approach to safeguarding it.

The final report from a VA should indicate where potential security gaps exist. The next step in the VMP process is to verify the realistic risk of each one and then prioritise them based on severity. After that, the team running the VMP must determine a mitigation tactic for each identified vulnerability. The proper solution depends on whether it is a supplier product, in-house tool or a network-based issue.

Lastly, the VMP should dictate when patches (security updates) for supplier products are installed and automated.

Read more about vulnerability management

The processes within the VMP must continue to loop. Once all system risks have been addressed, a new VA should be scheduled to start the activities again. The team maintaining the VMP must constantly be accounting for new devices, networks and users who have entered the organisation.

This is especially true with the movement towards the internet of things (IoT), where every type of machine, from light bulbs to coffee makers, comes with Wi-Fi connectivity installed. Because these types of device have historically had little built-in security, they are highly vulnerable to all sorts of damaging network-based hacks.

What is the tangible benefit of VAs and VMPs? These activities may require a significant amount of time and human resources, so an IT team is likely to be asked to justify the effort. Fortunately, the right approach to vulnerability management has proven, in many case studies, to be a critical form of protection for organisations of all sizes. Yet a recent survey revealed that less than half of companies actively follow a VMP.

The worst-case scenario for a company is that a hacker manages to infiltrate its network and is not identified until a larger attack is executed. This includes exploits ranging from an old standby like ransomware to newer types such as cryptojacking and everything in between.

Tools + tactics = good VMP

A successful VMP strategy involves the tactics discussed above, as well as a couple of tools. The first tool to deploy is a virtual private network (VPN) in conjunction with your regular ISP (internet service provider).

Although the technology is still evolving, VPNs not only anonymise your geographical location by routing traffic through the server of your choice, but also encrypt all session-related data, so even if a hacker managed to access your data (called “packets”), they wouldn’t know what it contained, and the information would remain secure. VPNs are a subset of proxy servers, which, as the name implies, are intermediary proxies between your computer and the rest of the internet.

In addition to using a proxy server to encrypt your network, your company should install a firewall to monitor incoming web traffic and block anything that looks suspicious. Firewalls are a great tool for managing cyber security, but it is important to pair it with a VPN and larger VMP effort to ensure that your network is updated regularly to handle new threats as they emerge.

A vulnerability assessment is designed to scan all technology resources within an organisation and pinpoint areas of major risk. Using that information to drive a vulnerability management programme is the next step in cyber security maturity, but it is still not a foolproof endeavour.

When a single suspicious email can lead to a major intrusion of a network and large-scale attack, it is essential never to let security efforts find an equilibrium. In this area, a company must always be moving forward just to stay even.

Read more on IT risk management

Data Center
Data Management