5 Tips on How to Conduct a Vulnerability Assessment
So, your boss asked you to do a vulnerability assessment. You hardly remember anything about the topic from your security classes. Since it is about finding vulnerabilities in your infrastructure, it must be something like penetration testing…or is it?
Formally, vulnerability assessment is the process of identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures. It helps the organization doing the assessment understand the threats to its environment and react appropriately.
But, where do you start the vulnerability assessment process? Here are five tips on how to conduct a successful vulnerability assessment – as well as pitfalls and how to avoid them.
1. Learn the difference between vulnerability assessment and penetration testing
Penetration testing is usually something that happens once a year and results in a nice report showing weaknesses in your infrastructure. Vulnerability scanning is an essential part of penetration testing. Unfortunately, for this very reason, many people are focused only on vulnerability scanning when asked to do a vulnerability assessment.
Ideally, vulnerability assessment goes beyond a single scan. It is a continuous process, which provides you with the knowledge about vulnerabilities and the associated risk to your organization at any given time. In other words, think of having a database containing all your assets and their vulnerabilities that is always up-to-date. If a new vulnerability makes the front page of The New York Times, you know the data you need is already there. No need to do ad hoc vulnerability scanning under extreme time pressure.
Besides regular vulnerability scans, technologies like real-time vulnerability monitoring and Nessus Live Results can help you get an always up-to-date view of your infrastructure.
2. Think from a business perspective when defining the scope of your vulnerability assessment
If you’re reading this blog post, there is a good chance that you are a security engineer and security engineers, of course, deal with technical matters. However, for a successful vulnerability assessment, you need to take a step back and look at the company’s assets from a business perspective. Which assets does the company rely on for revenue? Where is critical data, such as customer or personally identifiable information (PII), stored? Which systems are publicly available (e.g., web apps)? These are important assets when defining the scope of your assessment.
Also, be sure to consider:
- Desktops and laptops: Even if you have a golden image, you will be surprised how diverse your clients are and what you will find on them.
- Assets like test systems, connected devices (TV screens, projectors, IoT, etc.) or cloud assets: They might not be the actual target of an attack, but could be the weakest link, allowing an attacker to break into your network.
In practice, it will not be enough to have a single vulnerability scanner to cover all these assets. You will need sensors in many parts of the network to cover the entire attack surface. All these sensors will then send their data to a central instance, where the data is aggregated, deduplicated and prioritized.
3. Master asset management
Technically speaking, a vulnerability assessment provides vulnerabilities against a list of IP addresses or host names. We all tend to get to the actual vulnerabilities as fast as possible. After all, it is a vulnerability assessment. But it’s worth it to take the time to first transform these anonymous IP addresses into assets by adding context. This context will vary but here are a couple of guidelines:
- Divide IP addresses into meaningful groups, such as: workstations, web servers, business-critical systems, hosts in the DMZ, Windows or Linux machines, etc.
- Add information, such as stakeholders, system owners, geographical location, etc.
- Consider business criticality. Add information mentioned in the previous section to organize the priority with which the assets should be assessed and fixed.
This context will help you make sense of the wealth of information delivered after an assessment – and save you a lot of time.. You will be able to immediately see what system it is, how important it is and who is responsible for it ( i.e., who will mitigate the vulnerabilities).
4. Plan when to use credentialed versus non-credentialed scans
There are two kinds of vulnerability scans: credentialed and non-credentialed. In the first case, the vulnerability scanner has credentials for the system to be scanned and thus gets an inside view of it. In the latter case, the scanner has an outside view of it, which is the same a potential attacker would have. While both scan types have their merits, credentialed scans are more accurate and complete.
Think about this: A scanner which has access to a system can see what system it is, what software is installed, what processes are running, which ports are open and much more. A scanner that sees the system only from the outside has to work with the limited information available. If the system in question has many open ports and many services running, the resulting information may be quite accurate. But, if this is not the case, the scanner may have to guess (e.g., what kind of system it could be). By taking the guesswork out of scanning, you will get more accurate information in every respect and add value to the information as your asset classification (see point number three) will be complete and precise.
If credentialed scans are not an option, agents are an alternative that delivers the same information. Unlike an antivirus scanner, it will hardly generate any system load at all and normally only do so for a couple of minutes per day.
5. Develop a smart scanning strategy
Vulnerability scans can’t be both fast and comprehensive at the same time. You either do a fast scan, which delivers less data (e.g., the system is up and its operating system) or an in-depth scan, which takes some time, but delivers all the information you ever wanted to know. However, by defining a good scanning strategy, you get the best of both worlds.
A useful starting point is to define daily discovery scans, which show – as the name suggests – which devices on the network are up and running. The best practice is to do this scan against all IP address ranges in your network, but leave out all the hosts known from previous scans.
Secondly, define a full vulnerability scan against all systems from the discovery scan, plus all previously known systems on a weekly basis. This scan will result in the actual system information and vulnerability data. This means only doing time-consuming port-scanning for up-and-running hosts, since this scan is done against known targets, not entire IP address ranges. This massively reduces the time required for the scan while delivering complete and precise results.
Using a passive vulnerability monitor in addition to active scanning can further help to fill in the gaps between the scans with real-time vulnerability information.
If scans take too long, consider adding more scanners to load-balance the scans between them.
Keeping these steps in mind will ensure that the result will be an effective and successful vulnerability assessment process.
To get started with Nessus Start your free trial now
- Nessus