What is a Vulnerability Assessment?

[0:00]When securing your organization's assets, knowledge is power. As businesses today increase their dependence on information technology, including the cloud, IoT devices, mobile and social, their cyber risk continues to rise. However, just like an annual or periodic physical, a vulnerability management program can help to identify weaknesses before they become problems. 95% of cyber attacks exploit known vulnerabilities, and with 15,000 new vulnerabilities discovered each year, constant vigilance is necessary to evaluate IT security posture, discover weaknesses and respond appropriately. The key to responding to this more dangerous threat environment is a robust vulnerability assessment program. A formal process that identifies and quantifies the security weaknesses, including your application software, hardware and network. Just like any good physical, vulnerability assessments should provide you with a clean, clear report of what in your environment needs attention and where on the list of priorities it lies. Organizations are constantly patching and adding software fixes to critical systems. However, because patches cause disruption to other software and because systems needing patches cannot be taken offline, IT has a difficult time managing the unwieldy challenge of keeping software up to date. Exceptional vulnerability assessments provide a list of prioritized vulnerabilities by system, software, and other important details. This report serves as a to-do list for IT security to improve its security posture, by closing gaps attackers could exploit one by one systematically in order to reduce downtime or system issues. Identifying vulnerabilities is important because, unlike the targeted attacks which dominated the landscape previously, today's advanced attacks are programmed to search for vulnerabilities in systems and automatically start their attack process. Therefore, it is critical to defend even if your organization is not a high priority target. Equally important to note is vulnerability assessments are not created equal. Scanning for vulnerabilities is one thing, prioritizing vulnerabilities and making it a part of an overall risk management program is another. Organizations must evaluate their assets by creating an inventory of all the devices on the network, including business purpose and system information, including vulnerabilities associated with specific devices. After identifying vulnerabilities, understanding their business impact and the purpose of the associated assets, organizations can score vulnerabilities by risk, using the likelihood and impact of any potential exploitation of the weakness. This thorough understanding of the environment and context of vulnerabilities helps guide organizations to ready themselves for the appropriate response, and more importantly, to respond to the most serious vulnerabilities for the most critical assets in priority order. Vulnerability scans are a part of a vulnerability assessment, and vulnerability assessments are a part of a risk management strategy, just like lab tests are a part of a physical, and a physical is part of an overall health program. The negative impact of a cyber intrusion, including reputation damage, financial losses, and loss of confidential information, can constantly be seen in the news today. In the most recent quarter, 1,254 data breaches have been publicly reported, a record, just like almost every previous quarter for the past six years. For the vast majority of these attacks, the vulnerability involved was known, but a failure to identify and respond effectively, ultimately led to an intrusion and damage. Ransomware attacks, for example, leveraged known vulnerabilities. WannaCry and Petya used a known vulnerability that Microsoft had identified and patched months before the attacks began. Yet, the malware spread across the globe and to hundreds of thousands of critical systems, literally shutting down companies. New malicious scripts are being created for known vulnerabilities daily, and unfortunately, are widely available. Like a good health regiment, including diet, exercise and sleep, a good defense is taking systematic preventative measures. According to the Data Breach Investigation Report, 60% of all small to medium-sized businesses have experienced a breach. In addition, 58% of surveyed customers would stop doing business with an organization that suffered a breach. A thorough vulnerability assessment will provide a blueprint for you to improve your security defenses. By understanding the environment, including the assets and vulnerabilities they contain, organizations can assign risk scores, prioritize response activity, and address any and all weaknesses effectively. Vulnerability assessments are a key element to a healthy, successful security program. For more information about vulnerability assessments, visit www.hitachi-systems-security.com.