Most often, cybersecurity professionals don’t know how to approach a vulnerability assessment, particularly when it comes to handling the results from automated vulnerability assessment report. This process can be of immense value to an organisation.

Aside from the information discovered from the vulnerability assessment results, the process itself is an excellent opportunity for the organisation to get a strategic view regarding possible cybersecurity threats. To get real business value from vulnerability assessment, the organisation need to understand how to fit the right pieces together.

The Four-Step Guide to Vulnerability Assessment

To start an effective vulnerability assessment, here is a proposed four-step method to consider, whether you are using an automated or manual tool.

1. Initial Assessment

Business, Technology, Internet and network concept. Young busine

At this first stage, the organisation need to identify the business assets within scope for assessment and define the risk for each asset (based on business criticality ranking of each asset), such as a security assessment vulnerability scanner. To derive any business value from the assessment, it’s important to identify at least the importance of the assets that the business has their network or at the least a drawn-up list of assets that the company will want to test.

Furthermore, the organisation should have an understanding of the strategic factors, and have a clear understanding of details, including:

  • Senior Management Risk appetite
  • Risk tolerance level
  • Risk mitigation practices and policies for each asset
  • Residual risk treatment approach
  • Countermeasures for each asset or service (if the function is correlated with the asset)
  • Business impact analysis

2. Define System Baseline

In the second stage, you should gather information about the systems within scope before the vulnerability assessment commences. Additionally, you should review if the device has open ports, processes and services that shouldn’t be opened. Likewise, understand the approved drivers and software (that should be installed on the device) and the baseline configuration of each device (if the device is a network perimeter device, it shouldn’t have a default administrator username configured, and all unused services should be disabled).

To understand what sort of public information should be accessible based on the configuration baseline, you should perform “banner grabbing” of the asset in question for further analysis. Does the device send logs into a security information and event management (SIEM) platform? Are the logs at least stored in a central log repository? Perform public information gathering and vulnerabilities status regarding the device platform, version, vendor and other relevant details.

3. Perform the Vulnerability Scan

Scam Virus Spyware Malware Antivirus Concept

Thirdly, after defining your system baseline, you should use the right policy on your vulnerability scanner to achieve the desired results. Before starting the vulnerability scan, you should look for any compliance requirements based on your organisation’s security posture and business security strategy, and know the best time and day to perform the scan. It’s important to recognise your industry context and determine if the scan can be performed all at once or if segmentation is required. One crucial step is to re-define the goals and get the approval of the policy for the vulnerability scan to be accomplished organisation wide.

For the best results that fit the desired outcome, use interrelated tools and plug-ins on the vulnerability assessment platform, such as:

  • Best scan type (i.e., popular open ports)
  • CMS web scan (Joomla, WordPress, Drupal, general CMS, etc.)
  • Quick Scan
  • Most common ports best scan (i.e., 65,535 available ports)
  • Firewall scan
  • Stealth scan
  • Aggressive scan
  • Full scan, exploits and distributed denial-of-service (DDoS) attacks
  • Open Web Application Security Project (OWASP) Top 10 Scan, OWASP Checks
  • Payment Card Industry Data Security Standard (PCI DSS) preparation for web applications

In the event that you need to perform a manual scan for the critical assets to ensure the best results, be sure to configure the credentials on the scanner configuration to deliver a better and more in-depth vulnerability assessment (if the credentials are shared with the team).

4. Vulnerability Assessment Report
A woman use a digital tabler, PDA, to check folders

The fourth and most crucial step in this process is the final vulnerability assessment report creation. Pay attention to the details of weaknesses identified and try to add extra emphasis to any remediation recommendations part of the report. To get real value from the final report, add recommendations based on the initial assessment goals.

Also, add risk mitigation techniques based on the criticality of the assets and scan results. Add any findings related to the possible gap between the results and the system baseline definition (deviations in any misconfiguration and discoveries made in the scan), and recommendations to correct the aberrations and mitigate possible vulnerabilities. Findings of the vulnerability assessment usually are beneficial to the organisation and are ordered in a way to ensure the understanding of the scan outcome.

However, it’s vital to keep the following details in mind and realise that high and medium vulnerabilities should have a detailed report that include:

  • The name of weakness
  • The date of discovery
  • The score, based on Common Vulnerabilities and Exposures (CVE) databases
  • A detailed description of the vulnerability
  • Details regarding the affected systems
  • Details regarding the process to correct the weakness
  • A proof of concept (PoC) of the vulnerability for the system (if possible)
  •  A blank field for the owner of the vulnerability, the time it took to correct, the next revision and countermeasures between the final solution.

At the end of step 4, you are equipped with this basic list when performing a vulnerability assessment, the recommendations phase will reflect a complete understanding of the security posture in all the different aspects of the process. It will also deliver a better business outcome for something that, in most cases, is a just a compliance tool.

Posted by Dan K Jatau Sr. MSc, PhD, MBCS, MInstLM

Dan K Jatau is a Nottingham, UK-based Information security and technology infrastructure expert and researcher who likes to write about technology subjects from both a business and technical perspective. His current interests are business-driven security architectures, identity and access, the Cloud, virtualization security and all aspects of security. He currently works in security program development and architecture and develops enterprise security programs for SMEs.