Author: Realize Security
Why Run a Vulnerability Assessment?
Why run a Vulnerability Assessment?
- What is a vulnerability assessment?
- How do vulnerability assessments compare to a penetration test?
- What are the benefits of vulnerability assessments?
- What are the risks of vulnerability assessments?
- Who conducts a vulnerability assessment?
- How often should a vulnerability assessment be run?
- What is continuous vulnerability management?
- What is the difference between a vulnerability assessment and a penetration test?
- How do you prepare for a vulnerability assessment?
It is pretty common in security to hear recommendations to run vulnerability assessments, but what are they? In this post, we will discuss what a vulnerability assessment is, what is involved, why you might run them, and how to go about arranging an assessment.
As with our blog on Penetration Testing, this is not intended to be an exhaustive or complete blog that goes over every aspect of a vulnerability assessment! However it should give a good introduction if you’re not familiar with the concept, if you don’t quite get why they are so often recommended, or if you are wondering what you need to do to implement an assessment within your organisation.
What is a vulnerability assessment?A vulnerability assessment is a way of reviewing devices and networks for known weaknesses (vulnerabilities). These vulnerabilities range from known security bugs within outdated versions of software to flaws in a device’s configuration. Vulnerability assessments can be unauthenticated or authenticated; an unauthenticated assessment will generally find less and have a higher quantity of false positive detections whereas an authenticated assessment can do more to validate suspected findings as well as explore more of a device and/or network. Furthermore, some vulnerability scanners used in assessments can be augmented by agents that run on devices, which can help gather more accurate data and report findings continually.
Vulnerability assessments can be run as a single activity, identifying key areas for the business to focus on and potentially highlighting gaps or corner cases in an organisations existing security management approach and process. However, vulnerability assessment can be most useful when run as a continuous activity, serving to constantly check the status of an organisations network, discover new devices, and help ensure continual security and conformity by identifying unaddressed vulnerabilities and misconfigurations as and when they occur. This continual awareness, alongside specific tests such as penetration testing and configuration reviews, aim to support the organisation and enable its continued operation.
How do vulnerability assessments compare to a penetration test?Vulnerability assessments generally rely on a high degree of automation through the use of vulnerability scanners. While this means that they can work faster and potentially cover more of an estate than a similarly scoped penetration test, it also means that the assessment does not practically attempt to fully validate or exploit its findings, nor does it try to chain exploits together or add organisational context to its actions.
In comparison, a penetration test will also attempt to link vulnerabilities together to prove risks to a device or network as an attack, with an awareness of what the implications of this attack are for the business. Penetration tests rely more heavily on the knowledge and guidance of a manual tester - our blog on "What is Penetration Testing" goes in to this in more detail - and can provide greater assurance that the whole system and its security controls are effective.
What are the benefits of vulnerability assessments?Where penetration testing takes a deeper view, identifying the paths an attacker might take through an organisation, a vulnerability assessment offers a broader view, looking at all of the devices within an organisation, checking their installed programs for known vulnerabilities, and identifying known errors in how they have been set up. While these checks may not go as deep as a penetration test or a configuration review might, the high degree of automation means that this activity is far cheaper, covers more ground, and ensures that the basics are addressed.
The outcome of a vulnerability assessment is normally a comprehensive report of all of the vulnerabilities that were found, detailing what and where each vulnerability was, their individual estimated severity, and suggestions on how the vulnerability should be addressed accounting for the advice of the vendor as well as industry best-practice. by For an organisation, a vulnerability assessment enables the Chief Information Security Officer and the security team to gauge how effective their process and controls are, and implement the fixes suggested within the report.
What are the risks of vulnerability assessments?Vulnerability assessments generally pose a low risk to the environment. While in some cases scanners do require configuration changes on devices in order to run, these changes are well understood and documented. When scanners are deployed on a permanent basis, these changes can be automated, scheduled to run either as part of an assessment or scanner, or ahead of them with the changes reverted once the assessment is completed.
Vulnerability scanners can generate a lot of traffic when running, as they attempt to list all of the installed programs and services on every computer within the scope of the assessment. However, this traffic is well within the ability of most networks - for instance, the typical bandwidth used by a scanner can be far less than streaming video. If your network doesn’t crash when watching YouTube, it should have more than enough capacity for a vulnerability assessment; and that’s before making any changes to reduce the scanners speed and rate of requests.
Most commercially available scanners allow for the detailed configuration of their networking, including limiting the amount of traffic generated, excluding potentially weaker devices such as SCADA, and even halting scanning if congestion or problems are detected. However this does not mean that they are risk free; older systems, legacy devices, or devices with bespoke networking configurations can sometimes suffer from issues such as network disconnections, degraded performance, and potentially downtime.
For these reasons, when commissioning a vulnerability assessment or implementing a continuous vulnerability assessment process, it is worth testing the scope and configuration of the scanners and specifically excluding known legacy or delicate devices. When scoped and implemented with the guidance of a consultant who is familiar with the scanner, the potential risks of a vulnerability assessment can be reduced or mitigated.
Who conducts a vulnerability assessment?A singular vulnerability assessment would be conducted by a security specialist who has experience in using the vulnerability scanner. This aims to ensure that the scanning process is appropriate for the environment - not just from the perspective of minimising or mitigating the potential risks to the organisation, but also to ensure that the scanner provides appropriate coverage and detail.
However, when implemented in a more continuous role, after an initial run of testing the implementation within the pre-existing estate, the process of vulnerability scanning can be left as a wholly automated activity. From here, the organisation would need only to update the scanner when new devices are added or the network configuration is changed, and monitor the reports generated to ensure that devices are authenticating as expected without connectivity failure which may indicate stability issues.
How often should a vulnerability assessment be run?As with any other security activity, vulnerability assessments can be run as a standalone project, with a set scope that is acted on once. This can be useful, especially in organisations who have a large quantity of legacy devices and/or organisations who have not yet conducted many security activities.
Vulnerability assessments complement an existing security program, including penetration testing. Even when this is a one-off, ensuring that a broad vulnerability assessment has highlighted the low hanging fruit within an environment can ensure that a penetration test is able to focus on potentially more severe issues which pose a specific risk to the business, rather than getting bogged down in more generic issues which can be quickly identified and actioned.
Running a vulnerability assessment on a regular basis with a similar cadence to penetration testing is a good approach; it provides year on year metrics to demonstrate the organisations security approach, and allows senior leadership to decide on an appropriate strategy. However, due to the high speed and low cost of vulnerability assessment, it can be worth consider a far quicker cadence - either quarterly (as required by PCI DSS), or even continuous.
What is continuous vulnerability management?
Continuous vulnerability management is where an organisation runs vulnerability scanners constantly, continuously assessing and tracking their devices and networks for vulnerabilities as and when they occur.
Vulnerabilities do not appear on a set schedule - they occur as vendors and organisations learn of exploits, as researchers uncover new methods of breaking in to systems, and as individuals work to fix and patch bugs. As such, scanning on a set cadence such as quarterly or annually can delay an organisations response, in turn increasing the organisation’s attack surface CIS-7 and the window of opportunity for attackers.
Most scanners are updated as soon as their vendor is made aware of a new vulnerability, meaning that even before an official fix is made available, the organisation is able to respond. For instance, while it may take Microsoft time to write, test, and release a fix for a local privileged escalation vulnerability in Exchange Server, as soon as the scanner reports the presence of it within the organisation, the security team can immediately work to restrict direct access to the host and knows to specifically monitor or increase the alerting and logging. This results in a more proactive organisation stance, where the security team and leadership are able to anticipate and act to reduce the attack surface of the network before attackers can test it.
In addition, the process of regular vulnerability assessments, whether annual or continuous, means that an organisations leadership and security team can track performance and begin to use the output of the vulnerability assessments as a key performance indicator. Reports can be used to identify and drive process improvements, whether it’s encouraging the use of automated patch management, helping to ensure that the build process for gold images is free from misconfigurations, or highlighting training opportunities and cultural improvements for users.
What is the difference between a vulnerability assessment and a penetration test?To benefit from the speed and low cost of a vulnerability assessment, it is worth including as much of the organisation as possible. Typical vulnerability assessments include the whole internal network of an organisation, both on-premise and cloud, as well as external services such as websites, VPN endpoints, and APIs.
It can be worth engaging with a specialist when determining the scope, in order to reduce the risk of issues arising from the assessment process itself, and to ensure that the scope can be appropriately assessed by the tooling.
How do you prepare for a vulnerability assessment?As with every security assessment, it is important that the organisation has a clear, written document which specifies the scope of the test, as well as the objectives of the assessment. This ensures that there is sufficient legal cover to differentiate the assessment from just criminal hacking, but also serves to direct the activities within the assessment.
Whether the vulnerability assessment is a one-off or the first of a continuous assessment process, the same broad questions should be answered:
- What is the ultimate goal of the process?
- What does this in turn require from our team?
- What devices, networks, and applications should be thus included?
- What, if any, devices, networks and/or applications should not be included?
- Will the intended objectives and scope require authentication?
- Will this require additional configuration changes to the devices or networks?
- How will the organisation process the subsequent reports?
Hopefully this blog has answered why you might run a vulnerability assessment, what you should consider when you run one, how they differ from other security activities, and how they might fit in as part of your organisation’s wider security process.
If you are interested in a vulnerability assessment, in implementing a system of continuous vulnerability assessment within your own organisation, have any further questions, or would like to enquire about Realise Security’s other services, please contact us to see how we can best support your organisation.
Thanks for reading.
The Realize Security Team.