Vulnerability Assessments: Why Every Size Organization Needs Them
The complexity of modern enterprises and the increased interconnectivity among organizations create widespread opportunities for theft, fraud, and other forms of exploitation by offenders scanning your network for vulnerabilities to exploit.
Timely identification and remediation of network vulnerabilities is something every organization requires before outside attackers or disgruntled insiders exploit these weaknesses. The process of identifying vulnerabilities, evaluating the risk, remediation, and reporting is called vulnerability management. By using a formal vulnerability management process organizations are able to more efficiently find and fix security vulnerabilities within their networks.
Many organizations, however, resist undergoing regular vulnerability assessments. These resistors fall back on a false sense of security based on one or two fallacies:
- They’re a small company and/or they have nothing of value within their networks to hack into.
- They have installed appropriate firewalls, anti-virus software, intrusion detection systems and software patches.
Hackers are not much different than regular thieves: they want as little resistance as possible. Therefore, they seldom target a specific location or business. Instead they randomly search until they find vulnerabilities they can exploit. Just as the common burglar will scour a neighborhood until he finds a home with an open garage door, a hacker will send viruses and malware out into the cyber world until they find a hole in a network.
Hackers often exploit known vulnerabilities in network software that companies have neglected to patch. Some hackers will exploit SCADA holes in thousands of locations to infect critical infrastructure. Others have targeted the growing popularity of WordPress as a website platform, while the increasing use of cloud systems caused a 45 percent jump in cyberattacks two years ago.
The point is, you can no longer think hackers won’t breach your company’s network because of your size or perceived lack of valuable information. If there’s a way into your network, hackers will find you.
In fact, a survey done last year found that 31 percent of responding small businesses had suffered a breach, yet only 42 percent of respondents had invested resources in cybersecurity in the last year.
Even if your network is protected by firewalls, anti-virus software and intrusion-detection systems (IDS), your IT assets are still at risk of being attacked by network security threats that can enter through undetected or uncorrected vulnerabilities.
Firewalls only protect you from outside threats; they’re nearly powerless to stop malicious internal activity or rogue assets inside the firewall. Also, they are not designed to protect networks from vulnerabilities and improper system configurations.
An IDS is also limited in the fight against cyber threats. An IDS relies on signature files of known attacks, and sophisticated attacks can easily trick the system and penetrate networks. An IDS also will not protect against vulnerabilities exploited by remotely executed code.
A vulnerability assessment, on the other hand, goes much deeper into an organization’s specified hosts, network security and web applications. For example, IT Training Solutions has identified eight categories of vulnerabilities with multiple subcategories just for its web application assessment framework.
Depending on the scope, a comprehensive vulnerability assessment may test:
- Access control parameters
- The proper enforcement of an application workflow sequence
- Whether an authentication process can be bypassed
- To ensure somebody other than a user cannot intercept a password during reset
- Session management
- Web server configuration
- To ensure an application does not present error messages that could be used in an attack
- SSL versions, key exchange methods, algorithms, and key lengths
- Script, SQL, OS Command, and LDAP injections
Assessments also typically involve a complete sweep for active devices using ICMP and TCP ping sweeps; scanning for IP addresses with active device for open TCP and UDP ports; and scanning for common misconfigurations and implementation errors.
Constant changes in technology and business processes have reduced the effectiveness of automated vulnerability assessment. Deeper penetration testing is needed to augment existing vulnerability management processes, especially in light of the rising level of targeted attacks.