Many cyber attacks take advantage of basic, often unnoticed security vulnerabilities, such as poor patch management procedures, weak passwords, Web-based personal email services, and the lack of end-user education and sound security policies. This makes an effective vulnerability assessment a critical first step in the effort to protect data.
Even the most secure network is likely to have some unknown vulnerabilities. Vulnerability scanners are useful tools for identifying hidden network and host vulnerabilities. However, for many organizations, vulnerability assessments are highly technical and are carried out mostly for compliance purposes, with little connection to the organization’s business risks and executive security budget decisions.
Vulnerability assessments typically identify thousands of granular vulnerabilities and rate them according to technical severity, rather than taking into account the affected business and its mission-critical processes. They can also identify a single vulnerability several times, recommending multiple patches and upgrades, when in reality a single security solution could address all of them.
Ideally, a sound security strategy should tie business impact and an organization’s overall security strategy to the results of a vulnerability assessment, enabling an understanding not only of where true business risks lie, but also of which vulnerabilities should be addressed first and how to address them effectively.
A vulnerability assessment is the process of running automated tools against defined IP addresses or IP ranges to identify known vulnerabilities in the environment. Vulnerabilities typically include unpatched or mis-configured systems.
A penetration test takes advantage of the vulnerabilities identified to escalate privileges and gain control of the network or steal sensitive data. Experienced penetration testers will also perform manual exploits of the systems vulnerabilities.
The first step to providing business context is to identify and understand your organization’s business processes, focusing on those that are critical and sensitive in terms of compliance, customer privacy, and competitive position. There is no way for IT to do this in a vacuum. In many organizations, it requires collaboration between IT and representatives of the business units, the finance department and legal counsel. Many organizations put together security strategy task forces with representatives from each department, who work together for several weeks to analyze business processes and the information and infrastructure they depend on.
Once the business processes are identified and ranked in terms of mission criticality and sensitivity, the next step is to identify the applications and data on which those mission-critical processes depend. Again, this can be accomplished only through collaboration between IT and other business players. From extensive collaborative discussions, you may discover applications that are much more critical than expected. For example, email may be an absolutely critical application for one department, but not critical at all for many others.
When searching out applications and data sources, make sure you take into account mobile devices such as smartphones and tablets, as well as desktop PCs. Collectively, these devices often contain the most recent, sensitive data your organization possesses. Work with the business units to understand who is using mobile devices for accessing and sharing corporate applications and data. Understand the data flows between these devices and data center applications and storage. Find out if your business users are sending business emails over public email services such as Gmail or Yahoo mail. Another often hidden category to investigate is your software development environment, as they are inherently less secure than production environments. Software developers and testers often use current, sometimes mission-critical data to test new and upgraded applications.
Continue working down the layers of infrastructure to identify the servers, both virtual and physical, that run your mission-critical applications. For Web/database applications, you may be talking about three or more sets of servers—Web, application and database—per application. Identify the data storage devices that hold the mission-critical and sensitive data used by those applications.
Develop an understanding of the routers and other network devices that your applications and hardware depend on for fast, secure performance.
Note the security and business continuity measures you have already put in place—including policies, firewalls, application firewalls, intrusion detection and prevention systems (IDPS), virtual private networks (VPNs), data loss prevention (DLP) and encryption—to protect each set of servers and storage devices hosting mission-critical applications and data. Understand the key capabilities of these protections, and which vulnerabilities they address most effectively. This may require some fairly extensive research, including scanning websites and reviews, and speaking with security company representatives.
Only when you’ve understood and mapped out your application and data flows and the underlying hardware, network infrastructure, and protections does it actually make sense to run your vulnerability scans.
Your scanner may produce scores of host and other vulnerabilities with severity ratings, but since results and scores are based on objective measures, it’s important to determine your organization’s business and infrastructure context. Deriving meaningful and actionable information about business risk from vulnerability data is a complex and difficult task. After evaluating your staff’s level of knowledge and workload, you may determine that it would be helpful to partner with a company that is well-versed in all aspects of security and threat assessment. Whether undertaking this task internally or getting outside assistance, your results need to be analyzed to determine which infrastructure vulnerabilities should be targeted first and most aggressively.