How To Perform A Vulnerability Assessment: A Step-by-Step Guide
In 2020 alone, over 23,000 new software vulnerabilities were discovered and publicly reported. As staggering as this figure might sound to the uninitiated, numbers like this no longer raise eyebrows to those in the cyber security world. Admittedly, no organisation is likely to fall foul of all 23,000, but one is all it takes to cause untold damage.
And if you’re wondering about the chances of being hit through one of these vulnerabilities, analysis by IBM identified scanning for and exploiting vulnerabilities as the leading attack vector in 2020 (35% of attacks), even surpassing phishing attacks.
Hackers are scanning the internet for weaknesses all the time, and if you don’t want your organisation to fall victim, you need to be the first to find these weak spots. In other words, you have to adopt a proactive approach to managing your vulnerabilities, and a crucial first step in achieving this is performing a vulnerability assessment.
We have created this guide to help you understand what vulnerability assessment is, why it’s important and how to perform it in your organisation.
What is a Vulnerability Assessment?
As humans, we all make mistakes, and because software is written by humans, it inevitably contains bugs. While many bugs are harmless in nature, some turn out to be exploitable vulnerabilities placing the usability and security of the system at risk. This is where a vulnerability assessment comes in. A vulnerability assessment is an analysis of vulnerabilities in IT systems at a certain point in time, with the aim of identifying the system’s weaknesses before hackers can get hold of them.
Vulnerability Assessment and Penetration Testing (VAPT)
It’s easy to confuse vulnerability assessments and penetration testing. Many security companies offer both, and the lines between them can be easily blurred.
The best way to tell the difference between these two offerings is to look at how the heavy lifting in the test is done. A vulnerability assessment is an automated test, meaning a tool does all of the work and generates the report at the end. Penetration testing, on the other hand, is a manual process relying on the knowledge and experience of a penetration tester to identify vulnerabilities within an organization’s systems.
It’s best practice to combine automated vulnerability assessments with regular manual penetration testing for greater system protection. However, not every company is the same, and naturally, when it comes to security testing their needs are different. So if you’re just getting started and not sure whether you should perform a vulnerability assessment or a penetration test, we’ve written a helpful guide addressing this question.
What is the purpose of a vulnerability assessment?
There is a big difference between assuming you’re vulnerable to a cyberattack and knowing exactly how you’re vulnerable, because unless you know how you’re vulnerable, you can’t prevent it. The vulnerability assessment goal is to close this gap. A vulnerability assessment tests some or all of your systems and generates a detailed vulnerability report. This report can then be used to fix the problems uncovered to avoid security breaches.
In addition, an ever-increasing number of companies depend on technology to carry out their daily operations, but cyber threats, like ransomware, can halt your business in an instant. Widespread appreciation that prevention is better than a cure has led to growing importance of cyber security and demand for solutions ensuring their resilience. For example, more SaaS customers now require regular vulnerability assessments, and having proof of security testing can also help you to generate more business.
Vulnerability Assessment Tools
Vulnerability assessments are automated processes performed by scanners. This makes them accessible to a wide audience. Many of the scanners are geared towards cyber security experts, but there are solutions tailored for IT managers and developers in organisations without dedicated security teams.
Vulnerability scanners come in various types: some excel at network scanning, others at web applications, IoT devices or container security. If you’re a small business, you’re likely to find a single scanner covering all or most of your systems. However, larger companies with complex networks may prefer to combine multiple scanners to achieve the desired level of security. Read our guide to vulnerability scanning to learn more about the vulnerability scanning process and how to choose the right scanner for your business.
Steps To Conduct A Vulnerability Assessment
With the right tools in hand, you can perform a vulnerability assessment by working through the following steps:
1. Asset discovery
First, you need to decide what you want to scan, which isn’t always as simple as it sounds. One of the most common cyber security challenges facing organizations is a lack of visibility into their digital infrastructure and its connected devices. Some reasons for this include:
- Mobile Devices: Smartphones, laptops, and similar devices are designed to disconnect and reconnect frequently from the office, as well as employee’s homes and often other remote locations.
- IoT Devices: IoT devices are part of the corporate infrastructure but may be connected primarily to mobile networks.
- Cloud-Based Infrastructure: Cloud services providers make it easy to spin up new servers as needed without IT involvement.
We’d all love to work in an organisation that was perfectly organised, but the reality is often messier. It can be hard simply to keep track of what different teams are putting online, or changing, at any given point. This lack of visibility is problematic because it’s difficult to secure what you can’t see. Luckily, the discovery aspect of this process can be largely automated. For example, some modern vulnerability assessment tools can perform discovery on public-facing systems and connect directly to cloud providers to identify cloud-based infrastructure.
Once you know what you’ve got, the next question is whether you can afford to run a vulnerability assessment on all of it. In a perfect world, you would be running a vulnerability assessment regularly on all of your systems. However, vendors often charge per-asset, so prioritisation can help where budgets can’t cover every asset the company owns.
Some examples of where you may wish to prioritise are:
- Internet-facing servers
- Customer-facing applications
- Databases containing sensitive information
It’s worth noting that the two of the most common vectors for untargeted or mass attacks are:
- Internet facing systems
- Employee laptops (via phishing attacks)
So if you can’t afford anything else, at least try to get these covered, in the same order.
3. Vulnerability scanning
Vulnerability scanners are designed to identify known security weaknesses and provide guidance on how to fix them. Because these vulnerabilities are commonly publicly reported, there is a lot of information available about vulnerable software. Vulnerability scanners use this information to identify vulnerable devices and software in an organization’s infrastructure. The scanner initially sends probes to systems to identify:
- Open ports & running services
- Software versions
- Configuration settings
Based on this information, the scanner can often identify many known vulnerabilities in the system being tested.
In addition, the scanner sends specific probes to identify individual vulnerabilities which can only be tested by sending a safe exploit that proves the weakness is present. These types of probes may identify common vulnerabilities such as ‘Command Injection’ or ‘cross-site scripting (XSS)’, or the use of default usernames and passwords for a system.
Depending on the infrastructure that you’re scanning (and particularly how expansive any websites are), the vulnerability scan may take anywhere from a few minutes to a few hours.
4. Result analysis & remediation
After the vulnerability scan is complete, the scanner provides an assessment report. When reading and developing remediation plans based on this report, you should consider the following:
- Severity: A vulnerability scanner should label a potential vulnerability based upon its severity. When planning for remediation, focus on the most severe vulnerabilities first, but avoid ignoring the rest forever. It’s not uncommon for hackers to chain several mild vulnerabilities to create an exploit. A good vulnerability scanner will suggest timelines for when to fix each issue.
- Vulnerability Exposure: Remembering the prioritisation above - not all vulnerabilities are on public-facing systems. Internet-facing systems are more likely to be exploited by any random attacker scanning the internet, making them a higher priority for remediation. After that, you’ll want to prioritise any employee laptops with vulnerable software installed. Additionally, any systems that host particularly sensitive data, or could adversely affect your business may need to be prioritised ahead of others.
You can read the NCSC guide for more details on triaging and prioritising vulnerabilities for fixing.
In most cases, there is a publicly released patch to correct a detected vulnerability, but it can often require a configuration change or other workaround too. After applying a fix, it’s also a good idea to rescan the system to ensure the fix was applied correctly. If it isn’t, the system may still be vulnerable to exploitation. Also, if the patch introduces any new security issues, such as security misconfigurations (although rare), this scan may uncover them and allow them to be corrected as well.
5. Continuous cyber security
A vulnerability scan provides a point in time snapshot of the vulnerabilities present in an organization’s digital infrastructure. However, new deployments, configuration changes, newly discovered vulnerabilities, and other factors can quickly make the organization vulnerable again. For this reason, you must make vulnerability management a continuous process rather than a one-time exercise.
Since many vulnerabilities are introduced when software is developed, the most progressive software development companies integrate automated vulnerability assessments into their continuous integration and deployment (CI/CD) pipelines. This allows them to identify and fix vulnerabilities before software is released, avoiding the potential for exploitation and the need to develop and ship patches for vulnerable code.
Regular vulnerability assessments are critical to a strong cyber security posture. The sheer number of vulnerabilities that exist and the complexity of the average company’s digital infrastructure mean an organization is almost guaranteed to have at least one unpatched vulnerability that places it at risk. Finding these vulnerabilities before an attacker does can mean the difference between a failed attack and a costly and embarrassing data breach or ransomware infection.
One of the great things about vulnerability assessments is you can do it yourself and even automate the process. By getting the right tools and performing regular vulnerability scans, you can dramatically decrease your cyber security risk.
The Intruder vulnerability assessment tool
Intruder is a fully automated vulnerability assessment tool designed to check your infrastructure for upwards of 10,000 known weaknesses. It’s designed to save you time by proactively running security scans, monitoring network changes, synchronizing cloud systems and more. Intruder generates a report outlining the issues and offering actionable remediation advice – so you can find and fix your vulnerabilities before hackers reach them.
- Answering the question, “What is security testing?”
- Understanding the reasons to perform security testing
- Defining the scope of cyber security testing
- Knowing when to perform penetration testing