In order to best protect your business, you need to know where you are most vulnerable. Spending time to understand where a hacker might try to infiltrate your system allows you to be proactive in shoring up any weak spots. That's where vulnerability assessments come into play. To get the most out of these internal examinations, you must understand what a vulnerability assessment is and entails.
What is a vulnerability assessment?
A vulnerability assessment is a process of examining a business's information security practices and protections. It's something all businesses, large and small, should undertake regularly.
Would you go on vacation without checking that the stove was off, no faucets were dripping and the door was locked? Of course not. Nor would you assume that once working, everything in a home would continue to operate normally, no matter how much time had passed or how many conditions had changed. You always need to keep an eye on your home's general operation. The way you monitor your home is a form of vulnerability assessment, looking for potential malfunctions to prevent future problems.
The concept is the same for computer systems, networks, and all the hardware and software attached to them. You want to be sure that no one can get unauthorized access, break in, cause damage, shut down or alter your website; push through phony orders or charges; or otherwise hurt your business.
People protect their homes – and cars, bicycles or other property – because they're vulnerable to outside threats. The protection process is routine. Likewise, business owners lock up their facilities, run criminal background checks on new hires, track inventory and stay vigilant to prevent obvious problems.
When it comes to their digital existence, though, many business owners are far less thorough. That's a shame, because there's a world of threats out there, and a vulnerability assessment can reveal where systems are weak and identify issues before they lead to devastating problems.
Editor's note: Looking for the right access control system for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
What does a vulnerability assessment entail?
A vulnerability assessment is a detailed and systematic examination of a company's computing infrastructure to determine any weaknesses in design, implementation or practices that could lead to a successful attack.
Security professionals typically perform the assessment. Few companies have the internal resources to do an adequate job, and an outside perspective is essential. There's also the need for specialized software and hardware, information resources, and other tools to conduct the testing correctly.
Why should you conduct a vulnerability assessment?
Before considering a vulnerability assessment's elements, you must understand why you need one. The reason for any business, regardless of size, to conduct a vulnerability assessment is simple: Not doing so could cost you dearly and potentially put you out of business.
Think you're too small for cybercriminals to target? That would be a flawed assumption. On average, 43% of online attacks have targeted small businesses, according to data from Accenture. However, a Verizon report shows that only 14% of businesses have sufficient measures in place to defend themselves.
It gets worse. According to Verizon's latest annual analysis, when it comes to the number of data breaches, the gap between small and large organizations has been shrinking. Professional criminal gangs are attacking businesses of all sizes to make money using a wide array of activities, from basic website attacks to complex and multilayered actions.
They also employ social engineering, which means using employees' good natures to trick them into revealing confidential information, potentially bypassing even the best access control systems. Companies based in North America have been hit particularly hard.
Even if criminals don't get confidential customer data or transfer money from a company's account to their own – a practice more widespread than people realize – the cost of dealing with and recovering from an attack runs $200,000 on average, according to research from Hiscox.
This is where large and small companies diverge. For a big corporation, $200,000 is likely insignificant. But for a small company, a $200,000 loss could easily put it out of business.
How can vulnerability assessments protect your company?
Many vulnerabilities might affect a company: software and hardware misconfigurations, a lack of critical operating system and application security updates, poor security practices, a previously unknown zero-day exploit that business security systems might face, and even lax processes that might trick employees into providing access.
A vulnerability assessment can identify issues with all aspects of a company's infrastructure. This includes networks, individual workstations, mobile devices, cloud storage and services, all equipment attached to the network, applications, databases, websites, and all configurations.
Each vulnerability is cataloged and tagged with the potential risk severity. The professionals running the vulnerability assessment may also recommend steps to eliminate problems and create safer practices.
What are the types of vulnerability assessments?
There are four major types of vulnerability assessments. Some may be more critical to certain types of businesses, but the assessor will carefully examine each category for an organization.
This type of vulnerability assessment examines the hosts – servers that run websites, databases, applications and anything else in the company's digital infrastructure. Are your configurations correct? Have you correctly applied all the necessary security patches to both the operating system and applications? Is patch management in place to keep your company abreast of critical security updates?
A network assessment looks at the infrastructure's backbone, both wired and wireless. The intent is to ensure that unauthorized people can't get access to public or private networks. Once they're on a network, the likelihood that attackers can compromise systems attached to that network increases significantly.
An application assessment recognizes that software running on a server, workstation or mobile device attached to the network will have privileges and access to resources. A vulnerability in an application, including those that run automatically and not at a user's request, can provide an entryway to the infrastructure.
Although databases are technically software, they get their own assessments because of the number of attacker exploits that target database weaknesses. Assessors examine misconfigurations, unauthorized installations, development, and test environments with higher authorization and access levels than usual. They also examine and classify data that could be subject to various security, legal and regulatory requirements.
What are the steps involved in a vulnerability assessment?
Security experts might explain a vulnerability assessment's specific steps in various ways, possibly regrouping certain elements, but here are the basics:
- Understand the company. Security doesn't exist in a vacuum. Perfect security is not possible, and trying to cover the most remote threat possibilities could be far more costly than a potential loss. Assessors will need to understand an organization's risk appetite and tolerance as well as business models and weaknesses. While the assessors can ask the questions, the business must think deeply to give the right answers.
- Profile the system. Gather all the information about components, software, configurations, processes and services as they currently run through the entire infrastructure. In the process, the assessors begin to look for fundamental weaknesses down to device, application and configuration levels. They also consider information flows and where data travels, internally and externally.
- Test the system. The assessors run a large number and variety of tests to probe the entire system, considering days and times that might make a difference in results. Testing may happen at one time, or, given logistics and operational needs, the process may proceed in segments.
- Create a report. After the testing is done, professionals must analyze the results, determining not only which weaknesses exist, but also exactly which data and systems are most vulnerable, the severity of likely attacks, and potential damage. Then the assessors must transform the raw information into reports that company management can effectively use to make decisions.
- Devise a remediation plan. In consultation with management, the professionals then create a plan to address the weaknesses. Such a plan would include immediate actions as well as longer-range changes to processes, procedures, configurations and infrastructure design necessary to reduce ongoing risks.
Vulnerability assessments aren't a one-and-done endeavor
One of the more difficult realities for a business to accept is that security is an ongoing and constantly changing concern, and that there are never permanent solutions to problems.
You would never think that locking your front door one time would be sufficient to prevent break-ins, damage or other problems indefinitely. Computer security is the same. Criminals are always looking for new ways to break into systems. There is a constant stream of security patches to apply, new data to protect, new employees who need system access and former employees who need to have their access revoked.
Vulnerability assessments are part of an ongoing intelligent approach to systems and data. They're critical for a business and should become routine so that it can periodically check for vulnerabilities and weaknesses and then fix them before the unthinkable happens.