A Primer on Vulnerability Management
August 18, 2022 in Security
By: Kshitiij Kathurria
You are a business that stores data on your organization’s network and wants to keep the network as secure as possible. Protecting your business assets has become a complex challenge that includes keeping up with cybercriminals and ensuring you meet all regulatory compliance requirements while keeping a watchful eye on every user and device on your network from a security perspective.
Over the last few years, the volume and evolution of cyber-attacks have become overwhelming for even the most security-conscious organizations. It requires a comprehensive understanding of organizational risks and vulnerabilities, current threats, and the most effective policies and technical solutions for addressing them. Once organizations understand their risk, they can adjust their security budget towards the technologies and strategies that best work to reduce or eliminate that risk.
One of the critical processes in securing any business is testing it for vulnerabilities. Cyber-attacks can be prevented with proper vulnerability management strategies, primarily Vulnerability assessments and Penetration testing. These two strategies are not mutually exclusive but complementary of each other.
Both tests are different, and each has its distinctions. They work together to provide a comprehensive cyber-attack prevention plan for your business.
A vulnerability is an inadvertent flaw in software, an operating system, or a device that cybercriminals can exploit. These flaws are primarily the result of software programming errors or incorrect computer or security configurations. If left unaddressed, vulnerabilities become easy fodder for cybercriminals.
The first step in the vulnerability management process is to run a vulnerability scan. This automated process of identifying security vulnerabilities within the network, application, and devices is a powerful tool for better understanding your business’s state of security.
Essentially, this is a security audit of your network and the underlying infrastructure, which indicates your network’s confidentiality, integrity, and availability. This scan is conducted using a software application targeted at an IP address (or a subnet) and digs through your entire network.
The scanning process includes detecting and classifying vulnerabilities in devices, computer systems, applications, and third-party software, looking for security holes such as open ports, outdated software, or accounts with default passwords. The scans also predict how effective countermeasures are in case of a threat or attack, producing a report of all vulnerabilities identified. These findings can then be assessed, analyzed, and interpreted to identify opportunities for the organization to improve its security posture.
Vulnerability scans look for vulnerabilities already known to the security community, hackers, and software vendors. As technology is constantly evolving, there are newer vulnerabilities that are currently unknown. The scan will not find them. That said, the new age vulnerability scanners are updated continuously to reduce vulnerability blind spots.
Another aspect of the Vulnerability Management program is Penetration Testing. Penetration tests are often confused with vulnerability assessments; however, these are two very different processes that proactively defend your organization against cybersecurity threats.
As organizations conduct periodic vulnerability scans, so do the hackers and cybercriminals, scanning your network to find a hole or a weakness to break it. This is where penetration testing takes that vulnerability scan to the next level to understand how a cybercriminal can exploit a vulnerability and complete an attack.
Penetration testing is in high demand. Many testers will run a vulnerability scan, generate a report for executive consumption and call it a penetration test. This, however, is just the first step in a two-step process. The scan reveals the existence of a vulnerability; however, an actual penetration test verifies that the vulnerability is exploitable and under what circumstances it can be exploited.
A penetration tester will manipulate the vulnerability and discover the depth of the problem to determine the extent of damage that could be caused if it was exploited. This is the crucial difference between a vulnerability assessment and a penetration test, whereby the output of a vulnerability assessment is further probed, similar to how a cybercriminal would do.
The results of a penetration test are also ranked by severity and exploitability, and any steps to remediate are provided.
Vulnerability Management at Afinety
Vulnerability Management is an ongoing process. Vulnerability scans and assessments should be more frequent (monthly or quarterly), whereas penetration testing can be done on an annual basis or after a significant change to the environment. A single vulnerability scan is only indicative of your organization’s security posture at that point in time.
Afinety conducts vulnerability scans on all its client-hosted environments and its backend infrastructure. These scans identify the risk impact of each vulnerability providing a severity score (Critical, High, Medium, and Low). An Afinety Security Analyst assesses the severity of vulnerabilities in the context of the target environment considering various factors within the assessment, such as exposure to the public internet or remote exposure potential, network topology and depth of exposure, sensitivity/value of data, regulatory compliance/breach potential and compensating controls or mitigating factors, if any. Based on this threat assessment, a decision is made to determine which vulnerabilities should be targeted first and most aggressively.
Afinety also conducts penetration testing on its entire backend infrastructure annually. While this does not include each client’s hosted environment, we offer penetration testing to our clients as a part of our Security Services portfolio.
Performing these two types of tests helps Afinety avoid vulnerabilities and proactively act against cybersecurity threats. This also demonstrates to our clients and regulators that we are taking measures to identify vulnerabilities and apply the appropriate defenses to mitigate the potential risk of an attack.