Figure 2. Cybersecurity Incident Highlight in 2017 (source: Ponemon Institute and IBM)
First, we need to define what a “vulnerability” is. As documented by SANS (Escal Institute of Advanced Technologies), “Vulnerabilities are the gateways by which threats are manifested”. In other words, they are weaknesses found in a system which, when exploited, can allow attackers to non-permissible access to the system.
A Vulnerability Assessment is a systematic approach
So, where do these weaknesses occur? There are two points to consider:
Many systems are shipped with: known and unknown security holes and bugs (from software, or from vendors…) and insecure default configurations (weak passwords, account policies…).
Vulnerabilities as a result of misconfigurations by
The main reason why we should maintain security awareness of vulnerabilities in organizations’ environment is to quickly mitigate potential risks. A Vulnerability Assessment can be done prior to product deployment or after - the earlier, the better, to identify security holes in the system and fix them, before attackers have any opportunity to exploit or damage the system.Additionally, ensuring a high level of cybersecurity is often part of strict requirements in large companies or government agencies, which a Vulnerability Assessment can help to achieve and evaluate, for example, for the following security requirement:
Figure 3. Example of a security requirement of a government system
Through a thorough Vulnerability Assessment, we can evaluate whether the system has been set up to comply with the aforementioned requirements, and of not, take immediate action to apply remediation.
Last but not least, a Vulnerability Assessment is done to make sure the system is compliant with the new data security and data privacy laws across the world such as the Cybersecurity Law in Vietnam that will take effect on 01/01/2019.
Our method of conducting Vulnerability Assessment consists of 4 steps, which can effectively identify vulnerabilities most organizations have:
1. Reconnaissance
We will identify, analyse and map out the assets of the organization, including devices, their placement, network topology, and the importance of the devices to the IT infrastructure and network. This will provide a comprehensive overview of the IT assets in the organization.
2. System Information Gathering
Second, we will gather information about the systems before starting the Vulnerability Scanning. We will be review the ports, processes, services, and policies in the system to check for any misconfiguration that needs to be fixed. We will also require credentials of those devices to ensure the optimal performance of the Vulnerability Scanning.
3. Perform Vulnerability Scanning
In this step, we will use the information acquired from the previous steps to configure our proprietary scanner and then proceed to scan the system. The scan is divided into two types: external and internal.
External Scan will simulate how an attacker from outside your organization see and attempt to exploit the system.
Internal Scan, also known as scanning with credentials, will attempt to log on to each host on your network and collect additional detailed information about the host while it performs comprehensive vulnerability checks inside your network. Common checks include security updates, policy check, encryption