The term vulnerability assessment applies to a broad range of systems. For example, in the context of a disaster recovery plan, the vulnerability assessment would include the likelihood of flooding, earthquakes, and other potential disasters.
In the digital sphere, a vulnerability assessment is an evaluation of an organization’s cybersecurity weaknesses. This process includes identifying and prioritizing specific computer configuration issues that represent vulnerable aspects of an organization’s computing platforms.
The Institute for Security and Open Methodologies (ISECOM) http://www.isecom.org/research/) publishes the Open-Source Security Testing Methodology Manual that documents the components of a vendor neutral approach to a wide range of assessment methods and techniques. A vulnerability assessment project typically includes the following:
- Inventory of computing assets and networked devices
- Ranking those resources in order of importance
- Identification of vulnerabilities and potential threats
- Risk assessment
Prioritized remediation plan vulnerability assessment starts with an inventory of computer systems and other devices connected to the network. Once the items on the network have been enumerated, the network is scanned using an automated tool to look for vulnerabilities. There are two types of scans: credentialed and non-credentialed. A credentialed scan uses domain admin credentials to obtain detailed inventories of software applications on each of the computers. This method provides the security team with the information necessary to identify operating system versions and required patches.Often overlooked, a company’s website should be part of a comprehensive vulnerability assessment.
The Open Web Application Security Project (OWASP) maintains a list of the top-10 vulnerabilities most commonly found on websites. Surprisingly, many websites fail to properly implement user authentication and data input checking. These types of vulnerabilities have the potential to expose corporate data to anyone with internet access. Performing a vulnerability assessment exposes these issues so they may be resolved.
The final output of a vulnerability assessment project is the prioritized remediation plan. This plan uses the results of the risk assessment to determine which vulnerabilities represent the greatest risk to the organization. The total list of vulnerabilities is often numbered in the hundreds, if not thousands. However, not all of the vulnerabilities are big problems requiring immediate attention. The prioritized remediation plan allows IT administrators to reduce corporate risk quickly by focusing on the most important weaknesses first.