Why a Vulnerability Assessment Is Critical to Establishing a Cybersecurity Defence

Daniel Tobok
E: dtobok@cytelligence.com
Posted on: March 20, 2019

Just as you safeguard your home and business from unwanted visitors, you need to go the extra mile to protect your business’ digital systems from invasion. Enter the modern era of cybersecurity, which expands on the basics of virus protection to higher-tools designed to limit the likelihood of an attack against your company’s valuable data (including customer data) and IT assets.

In today’s business environment, a robust cyber defence is essential. News of a fresh attack take over headlines on what seems like a daily basis, and the victims aren’t only small businesses without the resources to build a robust defence, but huge organizations that have fallen victim to a vulnerability in their cybersecurity protocols. These attacks affect millions of people and cost millions of dollars, not to mention the potential impact to a company’s reputation. The unfortunate reality is that cyber attacks are becoming more frequent and more sophisticated.

Key to establishing a successful cybersecurity program is knowing where any digital vulnerabilities exist within your systems.
Vulnerability assessments help businesses pinpoint any weaknesses (such as coding bugs, security holes, etc.) before they have the chance to be compromised. Penetration testing, or pen testing, is a great way to do this by simulating an attack on your company’s IT systems and digital assets. This is an advanced strategy that builds upon the information derived from a vulnerability assessment, which is used to detect and report specific and possible vulnerabilities within your systems.

Why You Should Perform a Vulnerability Assessment

The goal of a vulnerability assessment is to discover any flaws that may compromise your company’s cyber defences, document them, report them to the organization, and provide details on how to resolve them. Doing so allows IT experts to work to address any issues before they develop further and possibly harm the integrity of your company’s cyber assets. Vulnerability assessments are a great place to start a cybersecurity defence strategy, but they are most useful when coupled with other tools, such as pen testing.

Performing a vulnerability assessment involves a number of steps:

  • Define and classify network and system resources
  • Assign relative levels of importance to those resources
  • Identify any potential resources
  • Establish a strategy that resolves the most serious threats first
  • Define and implement policies that minimize consequences if an attack does happen

What Kind of Information Will a Vulnerability Assessment Reveal?

Outside of misconfigurations within existing IT systems, a vulnerability assessment may also uncover issues with software and hardware, such as:

  • Default passwords on certain devices
  • Devices running unnecessary services
  • Web services that contain unknown vulnerabilities
  • Unnecessary services running on some devices
  • Harmful applications, such as those of the peer-to-peer variety
  • Third-party applications

Many vulnerability scanners will also keep an eye out for signs of malware based on a computer’s behaviour instead of scanning its files for known malware signatures. Doing so can help to uncover issues that anti-virus tools might miss.

Eight Steps to an Effective Vulnerability Assessment

  1. Identify and understand business process. Focus on the processes most critical and sensitive in relation to compliance, customer privacy and your competitive position. This exercise will require a collaborative effort between IT and representatives across various business units, financial leadership and legal counsel.
  2. Identify applications and data that bolster business processes. Rank each process in terms of mission criticality and sensitivity, then highlight applications and data on which those processes depend (Example: one department might absolutely need email access to do their job, while another department might not).
  3. Uncover hidden sources of data. Don’t forget to account for mobile devices and even desktop PCs, as these devices will most likely contain your organization’s most recent and most sensitive data. Identify who is using these devices to access and share corporate applications and data. Understand how data flows between them.
  4. What hardware underlies applications and data? Work down layers of infrastructure to identify which servers run mission critical applications. Identify data storage devices that house the sensitive data used by those applications.
  5. Map out the network infrastructure that connects hardware. Understand routers and network devices that your hardware uses to produce fast and secure performance.
  6. Do you have any controls in place already? If so, what are they? Existing controls could include policies, firewalls, intrusion detection and virtual private networks. It’s essential that you understand the capabilities of these controls and the vulnerabilities they address directly.
  7. Run a vulnerability scan. Now that your team understands and has mapped out application and data flows, network infrastructure and protection, determine whether it’s time to run any vulnerability scans.
  8. A scan could produce a number of vulnerabilities with varying levels of severity. Because the results of the test are based on objective measures, you must determine the organization’s business and infrastructure risk. Extracting useful and actionable data related to business risk and vulnerabilities can be a complex task.

Dive Deeper With Penetration Testing

Penetration testing dives deeper into your business’ digital environment to provide as vivid an image possible of its cyber assets. Performing a penetration test by conducting a false attack on your systems, you can best determine the steps you need to take to eliminate any vulnerabilities and decide whether your existing security measures stand up to the challenge of current threats. It also tests the most troubling weaknesses within the system.

The goal is to discover whether established defence mechanisms work. Skilled
penetration testers use a wide range of tools to effectively break into your company’s system. They may even create their own tools, which are free of harmful malware or other malicious code. When the test is completed, a detailed report that outlines any findings is produced and presented to the company.

The key to successful penetration testing, however, isn’t so much the technology employed, but the people conducting the work. In most cases, the sophistication of the entire process goes well beyond the scope of the technology and is instead combined with analytical thought processes that produce more in-depth insights into what provides the hacker with unauthorized access and the strategies that can more effectively thwart the possibility of an attack.

Given the sophisticated scope of testing, there is much that companies can learn from the report. Proper investigations include the full extent of the research, from the asset that’s been breached and the method the hacker has used to commit the breach.

Vulnerability assessments and penetration testing, also known as VAPT, work together to:

  • Prevent information loss
  • Prevent financial loss
  • Protect your brand reputation in the marketplace
  • Establish compliance with specific standard or certifications your business needs to operate

When executed correctly, vulnerability assessments are an invaluable tool to provide your business with insights into the strength of its cyber defence. When paired with penetration tests, you can uncover
actionable strategies that will minimize the impact of a cyber attack if or when an attack happens.