If you wanted to discover where the security vulnerabilities in your systems are, there’s one powerful way to find out – experience an actual cyber attack with all the disruption and costs that come with it.
It’s far safer to have a proactive cyber attack resilience strategy – of which a vulnerability assessment has an effective role to play. If performed regularly they provide knowledge of where security weaknesses may exist and will give you (and your customers) assurance that preventative action is being taken to help prevent an attack.
In this blog we look at why you need to carry out vulnerability assessments and why they are so important to your customers. We’ll also contrast a vulnerability assessment with a penetration test and discuss whether you should run them in-house – or engage with a provider.
What is a cyber security vulnerability assessment?
A vulnerability assessment is a technical scanning process to establish if there are potential ‘ways in’ to your network, systems, folders and files. It identifies the potential entry points to your business-critical information that often go unnoticed – but a threat actor (or hacker) may use to compromise your security.
In the context of a computer network vulnerability assessment, it is a check of all the services operating on that network. It confirms whether there are any outstanding software patches which need to be installed or if there are any services which have known issues for which software updates have yet to be produced.
The assessment can also be useful in identifying what services are running and whether there are any you do not actually need, which can be turned off. The vulnerability assessment tool (itself a piece of software) will produce a report detailing its findings and depending on the tool which is used will depend on the level of detail and useful (human readable) information which is provided.
In summary, a vulnerability assessment typically looks at computer systems, applications and network infrastructures. An assessment advises on the degree of vulnerability severity, and what steps must be taken to correct these in priority order.
And why do you need one?
Because you can’t rectify problems you aren’t aware of, and you cannot protect that which you do not know about. A vulnerability assessment will help you to identify and rectify weaknesses before they can be exploited. This is the key – to be informed, forewarned and prepared. Besides which, many organisations don’t have the time or the in-house knowledge to know what to check themselves or interpret the results with confidence.
A vulnerability assessment can reduce the likelihood of a cyber attack, which can be devastating and potentially close a business. To illustrate this, 23% of SMEs say they couldn’t’t survive for more than a month if unable to trade following a cyber attack (Gallagher Insurance cyber report). And a new global survey of Chief Information Security Officers (CISOs) by Proofpoint found that 64% feel at risk of suffering a material cyber attack in the next 12 months – from a number of threats. Both stats serve to highlight the impact and likelihood of an attack.
It’s what your customers expect
There is also more to it than ticking all the prevention boxes. Increasingly, customers expect to see vulnerability assessments or scans as a demonstration of cyber security best practice. In particular, members of the UK or US Government supply chains are coming under increasing pressure to prove they are taking appropriate, consistent and responsible cyber security action. They are well aware that a weak link can affect the security of the whole chain. Indeed, the supply chain security guidance issued by the National Cyber security Centre (NCSC) starts with understanding the risks within the supply chain.
Therefore, a regular, independent vulnerability assessment will improve your cyber security standing and resilience as well as add to your ‘evidence bank’ to show you are a responsible supply chain member.
What do typical vulnerabilities look like?
If you are in IT, you’ll already be aware of this. For the benefit of concerned business owners who might be researching this topic, we’ll take a quick tour through network security and vulnerabilities.
Network security: Understanding what should be on your networks (i.e., having valid authorised access) is a key part of protecting your business. A network scan will identify potential network security risks – for example, open ports and poorly configured servers. A network scan may also identify incidents of ‘Shadow IT’ – where your people may have decided to create their own IT workarounds using IT and software you may not be aware of and don’t support.
Software vulnerabilities: Web and mobile apps account for the majority of risks to enterprise applications and are easy to exploit – but also to detect by way of an appropriate vulnerability scan. Software vulnerabilities can also exist through incorrect configurations in network or web applications.
How a vulnerability assessment differs from penetration testing
A vulnerability assessment and a penetration test (also known as a ‘pentest’) both have their uses. Both can be used by an organisation to check their security exposure is as intended or expected. If not, steps can be taken to resolve any identified issues. The essential differences between the two approaches are:
Vulnerability assessments: Use automated network security scanning tools to identify potential weaknesses and vulnerabilities. A vulnerability assessment can be quick to commission, relatively straightforward to manage and a cost-effective way to keep the most common cyber security threats at bay.
Penetration tests: Are a human being led activity, replicating the activities of a real-world hacker/threat actor. For this reason, a penetration test is often described as ‘ethical hacking’ – to demonstrate that the vulnerability can indeed do the damage the identified weak spot suggests it can. Although a penetration test is thorough and ‘manual’ in its operation, it can be complicated to manage and is for the more security and technically mature customer.
A vulnerability assessment and a penetration test are not either/or solutions. Both approaches have their value, depending on what the desired outcome is. Both approaches are critical aspects of making your business a difficult nut to crack and persuading a threat actor to move onto another, less resilient target.
How often should you have a vulnerability assessment?
Vulnerability assessments should be scheduled as part of an ongoing security management process – but any single assessment is only a snapshot of that moment in time. The more often they take place, the more likely you’ll be to maintain a high-level security posture for the devices and services that make up your network.
Ascentor suggest an assessment on a monthly basis – or more frequently, depending on the needs of your business, your policies and budget. However, they can take place weekly if needs be. We also suggest that if major changes are made to your network or systems at any time, or if you are made aware of a major software vulnerability issue (these events are widely published in the media nowadays), additional vulnerability assessments are recommended to establish your potential exposure to newly identified threats.
In-house vs outsourced
It is entirely possible to run a vulnerability assessment in-house, using software that’s available. However, the success of any vulnerability assessment is based on knowing which business critical assets to include – or exclude – and how to interpret the data and what to do, in order to address detected weaknesses.
For this reason, a managed process, with an experienced provider such as Ascentor, will remove any uncertainty and give you the confidence to satisfy yourselves, and your stakeholders, that you take cyber security seriously and are a responsible, reliable and effective member of their supply chains.
How Ascentor can help
Ascentor’s Managed Vulnerability Assessment is driven by your requirement to demonstrate regulatory/legislative compliance to your customers and partners or, alternatively, your need for peace of mind your exposure to risk is at an acceptable level, for you.
We can work as a part of your extended, independent team– managing the technical process and interpreting the results across your business. Find out more: Managed Vulnerability Assessment.