Blog home

4 steps to conducting a proper vulnerability assessment

By Samuel Bocetta
November 20, 2020

Two computer screens, headphones, and a cellphone
Photo by Farzad Nazifi on Unsplash

A vulnerability assessment is one of the most effective techniques for identifying possible security holes in your organization’s cybersecurity design.

Failing to conduct vulnerability assessments regularly can cause you to lose vital and sensitive information to cybercriminals, who have been targeting nonprofit organizations in greater numbers since the pandemic hit. This in turn can lead to catastrophic repercussions, such as loss of donors’ trust and negative brand publicity.

Sadly, most nonprofit organizations have never run even a single vulnerability assessment to identify and reduce their potential risk exposure. This is part of the reason why nonprofit websites have become such an appealing target for hackers.

In this article, we’ll cover what a vulnerability assessment is and the steps you’ll need to take to conduct a proper one.

What is a vulnerability assessment?

A vulnerability assessment (or vulnerability testing) is the systematic evaluation of potential and existing threats and flaws in your organization’s systems, networks, applications, hardware, and other parts of the IT ecosystem.

A comprehensive vulnerability test identifies, prioritizes, and assigns severity levels to the identified weaknesses, and then recommends whether to mitigate or remediate them.

Most vulnerability assessments are common in IT systems; they are not industry specific. For example, they can be conducted in energy supply, water supply, transportation, and communication systems, among others.

There are many tools used to conduct vulnerability assessments as well. One example is dynamic application security testing (DAST) tools, which will assess your applications while they are running to locate vulnerabilities that could be exploited. Another is static application security testing (SAST), which analyzes the source code of software and applications to detect security flaws.

The difference between vulnerability assessments and penetration testing

You cannot talk about vulnerability assessments without also mentioning penetration testing. Although both processes serve to protect a networked environment, they are not the same thing. The two terms are sometimes incorrectly used interchangeably.

In a vulnerability assessment, an exploitable flaw is identified and alleviated. The process is mostly automated to cover a wide variety of unpatched vulnerabilities.

Penetration testing, on the other hand, is a goal-oriented approach focused on simulating a real-life cyberattack to see how a hacker can breach defenses. This testing involves both automated tools and a human to mimic an attacker.

Penetration testing can help identify even the most minute security problem, such as unencrypted passwords and inadequate security settings. And because penetration testing is also a vulnerability test, it should be conducted regularly to ensure consistent IT and network security management.

The different types of vulnerability assessments

Vulnerability assessments can help you find potential exploits before hackers start snooping, ensure your systems remain up to date and patched, create a proactive focus on information security, and ultimately help your organization maintain its reputation.

There are various types of vulnerability assessments. They include:

Network-based assessment

As the name suggests, this scan helps pinpoint possible flaws on wired and wireless networks.

Database assessment

This assessment involves locating security loopholes in a database to prevent malicious attacks, such as distributed denial-of-service (DDoS), SQL injection, brute force attacks, and other network vulnerabilities.

Web application assessment

This scan involves a careful evaluation of web applications and their source code to find any security holes. The process can be done manually or automated.

Host-based assessment

This type of assessment examines any possible weaknesses or threats in server workstations and other network hosts. It also involves a meticulous examination of ports and services.

Wireless network assessment

This scan validates whether an organization’s wireless infrastructure is securely configured to prevent unauthorized access.

Steps to conducting a proper vulnerability assessment

1. Defining and planning the scope of testing

Before you begin conducting a vulnerability assessment, you need to establish a methodology:

  • Identify where your most sensitive data is stored.
  • Uncover hidden sources of data.
  • Identify which servers run mission-critical applications.
  • Identify which systems and networks to access.
  • Review all ports and processes and check for misconfigurations.
  • Map out the entire IT infrastructure, digital assets, and any devices used.

The idea here is to streamline the entire process.

2. Vulnerability identification

Conduct a vulnerability scan of your IT infrastructure and make a complete list of the underlying security threats. To achieve this step you’ll need to do an automated vulnerability scan as well as a manual penetration test to validate findings and reduce false positives.

3. Analysis

A scanning tool will provide you with a detailed report containing different risk ratings and scores for vulnerabilities.

Most tools use a CVSS (common vulnerability scoring system) to assign a numerical score. A careful analysis of these scores will tell you which vulnerabilities you’ll need to  deal with first. You can prioritize them based on factors such as severity, urgency, potential damage, and risk.

4. Treating the vulnerabilities

With the vulnerabilities identified and analyzed, the next step is to decide how you want to fix them. There are two ways to do this: remediation and mediation.

Remediation involves fixing a vulnerability fully to prevent any exploitation. You can achieve it through the fresh installation of security tools, a product update, or something more involved.

The vulnerability remediation process is based on the priorities set during the analysis phase and requires the participation of all stakeholders.

When there’s no proper fix or patch for an identified vulnerability, mitigation helps reduce the prospect of an attack. The option is used to buy time until remediation is possible.

Part of the mitigation process should include deploying additional tools to help reduce cybersecurity risks. For example, antivirus software can be used to identify and remove malware and other threats within your network. Reputable tools can accomplish this through a variety of measures, including real-time antivirus scanners, remote firewalls, and predictive artificial intelligence threat detection.

Conclusion

In an era when nearly all organizations are moving their most critical services online, effective cybersecurity approach is paramount. As part of this approach, your nonprofit organization should carry out vulnerability assessments consistently to ensure that any external threats are identified and dealt with earlier rather than later.

Tags: Technology