Vulnerability assessments are very important tools for Upper Management and their organization. A vulnerability assessment takes a look at the current security status of a business’s network and systems with regards to the data being protected and the effectiveness of the protections against an expected level of attack; the assessment aids in preventing unauthorized access to the network and systems by providing a high level overview of security that allows management to fix the issues before they are exploited. The most effective assessment looks at more than just closing ports on the network. Rather, a comprehensive understanding of the most tantalizing targets for invaders, the impact of loss upon the network’s company or organization, and recognition of the true business risks are required.
Once the assessment has been performed, the business can use the information gathered to reallocate resources towards the improvement of the systems and network. Therefore, the vulnerability assessment is rarely performed in isolation, but rather as part of a review series that includes penetration, system hardening and defense in depth strategies that cover all aspects of the business including operations.
The vulnerability assessment begins with a cataloging of all resources currently in the system. This includes software, hardware, objects that allow access or administrative capabilities, the maximum capability of each item and the extent to which it is currently used.
Step 1. Identify the data and critical functions of the business. Take note of the most likely targets for attackers. This knowledge allows you to focus security measures where they are most needed and also more accurately analyze impact of loss in case of an attack or other issue that can cause a detrimental impact. This may already have been accomplished in your organization’s business impact analysis, so you will want to check there first to start with a baseline and save you some time.
Step 2. Identify contributing applications and data that support the business operations and key processes identified in step 1. Again, take note of these essential applications. These contributing applications and resources may also have been tracked in your business impact analysis as well.
Step 3. Identify your hidden data sources. These are typically mobile devices and laptops that sometimes get overlooked. Many times they disregard the other aspects of security implemented at the organization and may often have sensitive data on them with minimal security. These devices always present a high security risk and if you haven’t already it would be a good idea to encrypt them when you can and first evaluate what may be on these mobile devices. This can be done pretty cheaply these days and will save you a headache later on as it is only a matter of time until a laptop is stolen.
Step 4. Identify hardware that runs or supports those mission-critical applications and sensitive data. These are your routers and anything on the perimeter of your network controlling security. It is always a good idea to have your Access Control Lists thoroughly reviewed by someone other than the person who manages it. Many times these lists become so complicated that it is hard to understand what is actually going on. This is usually the main reason that openings to the network are overlooked that allows hackers access they normally wouldn’t get.
Step 5. Run vulnerability scans both internally and externally to establish all available services, shares, software, and user accounts within the environment. This will help you identify current measures and controls, examine how they are used and the extent of their capabilities. Map the network to ensure the understanding of all information flow through the systems and network. Visio is perfect for that task.
Step 6. A trained professional should conduct a review of patches on the machines, assessing their exposure factor and looking for external vulnerabilities as an attacker would. This includes enumerating all possible ports, entry points, and gates that permit access into the system/network from an attackers point of view. Identify all open services and processes. These are the points of vulnerability that attackers can use to access the system. An outsider usually does this as well, as it is very easily to overlook issues when you are looking at your own network.
Step 7. Document all your findings and present to upper management. This should list vulnerabilities discovered, rank risks (from the most critical to lowest risk) and quantify impact of loss. Suggestions to mitigate risk should be included along with your calculations of annual lost expectancy and single loss expectancy.
Assessments should be run regularly to maintain the security of your network. Anytime hardware, software, or firmware is altered, a new assessment should be conducted to account for the change. Up-to-date assessments mitigate the possible effects and success of malicious activity on the network. Regular vulnerability assessments are required aspects for compliance with several business and industry standards such as NCUA, PCI DSS, Gramm-Leach-Bliley Act, and FFIEC. While 100 percent security is impossible to guarantee, regular performance of these assessments, testing, and the implementation of security measures discovered minimizes security breaches and damages in maintainable fashion.