Peter Chan, cyber security operations manager, BlueVision ITM.
Vulnerability assessments offer a great deal more than a checklist of potential cyber risks − they inform the organisation’s broader risk exposure, support continuous improvement, and simplify compliance and audit processes.
In short − vulnerability assessments serve as the first line of defence for business in an ever-evolving threat environment.
Ideally carried out every quarter, a thorough vulnerability assessment will assess internal and external vulnerabilities, common vulnerabilities and exposures, misconfigurations and potential human errors that could put the organisation, its systems and data at risk of attack.
For in-house development teams that roll out new features quite often, it’s recommended that vulnerability assessments are done based on the release cycle, rather than quarterly.
Backed by penetration testing, the assessment may also explore the potential impacts of vulnerabilities, looking into how hackers could exploit them within the organisation. It will also prioritise remediation based on the context and criticality of the vulnerabilities and provide guidelines on continuous improvement.
The findings of a thorough vulnerability assessment are invaluable for IT security teams, risk departments and the organisation as a whole.
In many cases, I find that IT teams have been aware of certain risks but having them confirmed by an independent third-party supports their budget motivation to mitigate the risk. In other cases, the discovery process uncovers legacy and decommissioned infrastructure that still presents a risk.
Proactive threat management
As an integral component of the threat management arsenal, vulnerability assessments are the foundation of proactive threat management − from the network all the way up to web apps and everything in between.
Carried out regularly, it enhances the organisation’s cyber security posture by allowing it to stay ahead of vulnerabilities that are researched and discovered at an alarming rate.
As part of the broader arsenal, the assessment provides visibility, but this visibility must be acted on.
Every time there’s a new release of a version of the technology the company is using, it can enhance its security posture in accordance with whatever new features are available, or whatever patches have been made available between the last known visible state to the current state.
It is particularly important for heavily regulated sectors, such as the health or financial sectors. For example, managing card payments requires PCI DSS security measures, which include regular vulnerability assessments. In the healthcare industry, standards like HIPAA require regular vulnerability assessments too.
Around the world, industries recognise the importance of regular vulnerability assessments for business resilience, compliance and regulatory requirements.
Despite their best intentions, many organisations overlook common vulnerabilities, such as decommissioned hardware and default passwords. On occasion, I’ve discovered Windows Server 2003 and 2008 that have long deprecated and yet are still connected to the internet.
Default passwords and weak credentials are still key to many breaches. That said, user password vulnerabilities are being addressed by greater uptake of privilege management models, multi-factor authentication and stronger enforcement of password policies.
However, default vendor passwords are still being used on systems like firewalls and IP camera systems.
While the benefits of proactive vulnerability assessments and penetration are clear, some organisations delay these important measures due to cost concerns.
It should be noted that the cost extends beyond the assessment itself. There are costs associated with remediating the vulnerability as well.
As part of the broader arsenal, the assessment provides visibility, but this visibility must be acted on and the risks that have been identified must be managed.
This means that the company may need to spend the resources to either upgrade outdated operating systems, which would have dependencies on applications, or any other user dependencies could require a network upgrade.
Additional layers of defence may be required. And if there are any human issues or human misconfigurations, then the necessary training and awareness programmes need to be put in place to improve the situation.
The continuous cycle of improvement that emerges from the vulnerability assessment may incur additional costs that are not often talked about, and often difficult to predict.
With cyber risk proliferating, it is crucial to remember that if a company isn’t scanning its environment itself, someone else is − and they’re not divulging the results.
By continuously or regularly carrying out assessments, the company is making sure what it sees is at an acceptable level of risk, and it’s gaining an understanding of how it could be seen and exploited by somebody else. That visibility provides that first line of defence.
