Understanding Vulnerability Assessment

Vulnerability assessment is one of the easiest, most impactful, and proactive steps you can do for the cybersecurity of your organization. Unfortunately, many organizations just don’t know enough about the process, what’s involved, how much it costs, and so on… We’re going to discuss that a little today.

Complexity Kills

As networks and computing systems have grown over the years, we as IT professionals, have lost track of the basics. Deploying a new machine on a network used to be an easy and self-contained process; that’s not really the case anymore. Deploying a new machine often includes (whether you know it or not), cloud services being automatically provisioned, wireless networking enabled, Bluetooth enabled, or – in the case of many server platforms – remote baseboard management services enabled by default (with default credentials).

It might be easy to analyze a small group of systems manually, but what about the vulnerabilities you don’t know about?

Vulnerability Scanners

Vulnerability scanners (like Nessus, Qualys, and many more) are critical to understanding your own networks. These scanners look for known vulnerabilities on your network and return results indicating the criticality of the findings. These tools require a little training to use them properly. For example: It’s pretty easy to take older VOIP hardware offline with a simple scan!

Vulnerability Analysis

When we do a vulnerability scan for the first time on a network, we expect to see a LOT of results. In a recent case, a single scan of a 46 machine network yielded over 1000 vulnerabilities, over 400 of which were listed as “Critical”. So, where do you even begin with that!?

A knowledgeable analyst should take that data and look for patterns! Do the same vulnerabilities exist across multiple machines? Would a simple “update” close the majority of the Critical findings? Do we start with the Critical findings on the external network, or the internal network? And so on…

Vulnerability Management

Like everything else in security, you don’t just run a scanner and call-it-a-day. You need to actually FIX the issues you’ve discovered. That seems obvious, but so few organizations ACTUALLY do that! For some, they hit vulnerability overload and just fail to fix anything out of denial. For others, they fix the critical vulnerabilities once, and forget to run the scans again. Vulnerability management should be part of your IT operations processes, and ALL critical findings should be addressed within 30 days (hopefully sooner).

Like I stated in the beginning: vulnerability assessment is one of the easiest, most impactful, and proactive steps you can do for the cybersecurity of your organization. Whether or not GoldSky manages your vulnerability assessments for you (we hope we do!), I hope you begin to seriously look into routine vulnerability management practices.