In today's threat environment, it's not just a good idea to conduct a cybersecurity vulnerability assessment, and to do so on a regular basis – it's a core requirement for any organization that wants to protect critical data and ensure that its networks and systems aren't exposed to cyberattacks.
Failing to do so can, simply put, spell the end of your company. According to IBM's 2018 Cost of a Data Breach study, the average total cost of a data breach is now $3.86 million (an increase of 6.4 percent over the 2017 study), with an average cost of $148 per lost or stolen record (up 4.8 percent over the previous year's study).
Get a free trial of Qualys' top-rated cloud security platform for finding and patching vulnerabilities across the cloud, on premises and mobile devices.
And companies are taking note. Renub Research expects the global vulnerability assessment market to reach $15 billion by 2024, attributing the expected growth to several factors, including increased cloud adoption, the growing threat of data theft, and a surge in the number of systems affected by regulatory requirements.
What is a vulnerability assessment?
Put simply, a vulnerability assessment is the process of identifying the vulnerabilities in your network, systems and hardware, and taking active steps toward remediation. The information gathered via vulnerability testing can be leveraged by IT and security teams to assess and improve your threat mitigation and prevention processes.
It involves identifying the systems on your network (including assessing which are most valuable and critical), identifying and scoring any vulnerabilities found on those systems, and prioritizing the remediation process to focus on the higher risk vulnerabilities that affect your most critical systems.
Ultimately, a vulnerability assessment helps you shift from a reactive cybersecurity approach to a proactive one, with an increased awareness of the cyber risks your organization faces and an ability to prioritize the flaws that most need attention.
Vulnerability assessment benefits
You can't fix the flaws you can't see – and the clearer your sense of your overall security posture, the better situated you are to improve it.
Conducting vulnerability assessments on a regular basis can put you one step ahead of the bad guys, identify holes in your security defenses yourself rather than waiting for them to be exposed by a breach, and can help you plug holes in your own security before threat actors discover them.
Beyond penetration testing or a simple vulnerability scan, a vulnerability assessment or vulnerability analysis doesn't just assess what gaps there may be in your security defenses or how easy it may be to breach your network – it provides an overall picture of your security posture, including what data may be particularly vulnerable, and helps you prioritize the risks that need immediate attention.
A vulnerability assessment can also provide more detailed and actionable information than may be available from a breach and attack simulation (BAS) tool, which automates the process of running simulated attacks on your systems to test your security posture. In many ways, BAS tools serve a different purpose from vulnerability assessments, and the two can work well in tandem to enhance your overall security.
In-house vs. outsourced
While the cost savings of conducting your own cybersecurity vulnerability assessment in-house may be attractive for many companies, it's hard to beat the expertise of a specialized provider.
For a larger company, particularly one with significant compliance requirements for data privacy and protection, it can make an enormous amount of sense to keep all testing in house, since an in-house team will come to the process with a detailed understanding of the systems being assessed, is available on the company's own schedule, and is able to conduct the assessment with an inherent understanding of the sensitivity of the data being protected.
On the other hand, most smaller companies can't maintain the level of expertise in-house that many third-party providers can offer. And regardless of company size, there are inherent benefits to getting a fresh perspective on your systems, sidestepping the familiarity that any in-house team will already have with the systems they're testing. A new set of eyes will almost always spot something new that your in-house team might not otherwise uncover.
The process: vulnerability assessment step by step
There are five steps to a good vulnerability assessment that will help you allocate your security resources as efficiently as possible.
You need to start by determining which systems and networks will be assessed (including mobile and cloud), identifying where any sensitive data resides, and which data and systems are most critical. Ensure that everyone involved has the same expectations for what the assessment will provide, and make sure that lines of communication will remain open throughout the process.
Next, actively scan the system or network, either manually or via automated tools, and use threat intelligence and vulnerability databases to identify security flaws and weaknesses and filter out false positives. Particularly with a first assessment, the number of vulnerabilities found can be overwhelming – which is where step three comes in.
A more detailed analysis then follows, providing a clear sense of the causes of the vulnerabilities, their potential impact, and the suggested methods of remediation. Each vulnerability is then ranked or rated based on the data at risk, the severity of the flaw, and the damage that could be caused by a breach of the affected system. The idea is to quantify the threat, giving a clear sense of the level of urgency or risk behind each flaw and its potential impact.
Finally, the vulnerability assessment results in an effort to patch key flaws, whether simply via a product update or through something more involved, from the installation of new security tools to an enhancement of security procedures. The ranking in step three will help prioritize this process, ensuring that the most urgent flaws are handled first. It's also worth noting that some flaws may have so little impact that they may not be worth the cost and downtime required for remediation.
Vulnerability assessments need to be conducted on a regularly scheduled basis, quarterly at least (ideally monthly or weekly), as any single assessment is only a snapshot of that moment in time. Having those snapshots or reports to refer to over a period of time will also give you a strong sense of how your security posture has developed, for better or for worse. And if major changes are made to your network or systems at any time, an additional vulnerability assessment is advisable.
Vulnerability assessment software
If you're conducting at least an initial vulnerability assessment in-house, which can be a logical first step even if you're planning to turn to a third-party vendor in the future, you have a wide range of software to choose from – eSecurity Planet's list of 10 open source vulnerability assessment tools is a good place to start, looking at popular options such as the following:
- OpenVAS, maintained by Greenbone Networks
- Nexpose or InsightVM (cloud-based), from Rapid7
- Retina CS Community, from BeyondTrust
- Burp Suite Community Edition, from PortSwigger
- Nikto, sponsored by Netsparker
- OWASP Zed Attack Proxy (ZAP)
Beyond open source, other leading security testing tools include the following:
- beSecure (AVDS)
- Comodo HackerProof
- Tenable Nessus Professional
- Tripwire IP360
Selecting a security service provider
If you're turning to a third-party vendor, an ever-growing range of providers and services are now offering vulnerability assessments. In choosing a provider, as with any vendor selection process, it's critical to take a proactive approach in screening potential vendors. Start by getting a sense of the depth of their experience (particularly with companies of your size and in your industry) and ensure that their service and reporting fully match your needs – including any regulatory compliance you require.
Regardless of whether you handle the assessment in-house or turn to an outside provider for guidance, the visibility into your security posture it can provide is invaluable.