The vulnerability assessment process

The number of vulnerabilities has skyrocketed in recent years, and organizations around the globe are still puzzled over how to conduct a successful vulnerability assessment. To answer this, you need to understand what you are aspiring to achieve with a vulnerability assessment so you can shape your vulnerability assessment process to fulfill that need.

Vulnerability assessment process - ManageEngine Vulnerability Manager Plus

We'll cover:

What is the vulnerability assessment process, and what is its purpose?

It's apparent that the objective of vulnerability management is to keep the risks to your IT infrastructure under control at all times. As a crucial part of the vulnerability management life cycle, a vulnerability assessment helps you qualify the risks vulnerabilities present to your ecosystem so you can prioritize issues that are of serious consequence and need immediate attention at any given point of time.

Let's get into the specifics of the why and how of the vulnerability assessment process.

Why do you need a vulnerability assessment process?

A whopping 22,316 new vulnerabilities were disclosed in 2019, and exploits were revealed for over one-third of them. With attackers developing exploits within a week or so of public disclosures, organizations need to be swift in their remediation efforts.

However, every organization has its own patching limitations. With limited resources and not enough time on hand, it's impractical to have all Windows machines be up-to-date with all the newly released patches the day after Patch Tuesday. Also, vulnerabilities don't pose equal risk. Some vulnerabilities are imminently exploitable and are even wormable without a hacker's instigation.Therefore, organizations should perform a risk-based vulnerability assessment to predict what in their infrastructure is likely to be exploited and what consequences might result.

For instance, assume your vulnerability scan identifies 1,000 vulnerabilities in your network at one time; patching them all at once is impractical, and patching randomly could leave highly critical flaws overlooked. But if you can cherry-pick those 100 serious vulnerabilities and patch them promptly, we’ll go out on a limb and say you'll stand a fair chance against cyberattacks.

Key risk factors to consider when conducting a vulnerability assessment process.

The goal of a vulnerability assessment is to prioritize high-profile vulnerabilities. The risk of a vulnerability generally corresponds to how exploitable it is and how big an impact it would have if exploited. While severity ratings and Common Vulnerability Scoring System (CVSS) ratings give you a superficial assessment of risk, there are a few key factors you need to investigate to truly understand the risks posed by a vulnerability:

  • Ease of exploit or compromise of the vulnerability (exploitability)
  • Type of actions an attacker can perpetrate upon exploiting the vulnerability (threat impact)
  • Number of assets affected and their criticality
  • Number of days a vulnerability has remained unpatched
  • Whether the vulnerability has been disclosed or exploited in the wild without a patch in place

How to conduct the vulnerability assessment process effectively, explained in 5 simple steps

Now that we've extracted the variables essential to rigorously assess your risk, let's discuss how they help you not just in directing your attention to the most alarming areas, but also in adopting the best possible course of action.

Understanding the exploitability of a vulnerability.

Knowing whether an exploit is publicly available for a vulnerability is pivotal to vulnerability prioritization. These are the vulnerabilities that need immediate attention, since the exploit is out in the wild and anyone could leverage it to break into your network and steal sensitive data. If you only patch vulnerabilities based on severity, you might miss out on other threatening vulnerabilities that are easily exploitable. Nine out of 12 publicly exploited vulnerabilities resolved by Microsoft last year were not rated Important. It's essential to regard exploit availability as the top priority in your vulnerability assessment process.

Determine how long a vulnerability has been lurking in your endpoint.

Once the vulnerability information is out, the clock starts ticking and the game is on between your security teams and threat actors. It's essential to keep track of how long severe vulnerabilities have been lurking within your endpoints. Also, a vulnerability that may seem less critical initially might prove to be fatal over time, since attackers eventually develop programs that can take maximum advantage of these flaws in ways you could never imagine. The best practice is to immediately resolve vulnerabilities that have an exploit available, as well as Critical ones. Vulnerabilities categorized as Important are more difficult to exploit but should nevertheless be remediated within 30 days. Any vulnerability considered lower priority than Critical or Important should be remediated within 90 days.

Implement work-arounds to mitigate vulnerabilities that don’t have a patch available.

If a patch is available for a vulnerability, you can immediately apply the patch to fix the flaw, but make sure to test the patch before deployment to ensure it doesn't introduce unprecedented issues. But there are instances when a patch isn’t available for a highly critical vulnerability. It's important to stay vigilant of these vulnerabilities and take the appropriate measures to safeguard your assets. Let's discuss a couple of such cases that need to be attended to as early as possible.

Case 1: Zero day vulnerabilities

There are instances where a vulnerability gets exploited in the wild even before the vendor gets to know about it. What's worse is that an exploit is out, while a patch to fix the flaw isn't available. In such scenarios, your best bet is to harden the security of your IT ecosystem or isolate the system/ application affected until a patch or workaround is available. Learn the best practices you can implement now to harden your environment against zero day vulnerabilities.

Case 2: Vulnerabilities publicly disclosed by a security researcher

Sometimes, a disgruntled security researcher might post the vulnerabilities details in a public forum to teach a lesson to the vendor who keeps ignoring his alerts on a vulnerability in their products. Also, there are cases where the vendor might accidentally reveal the information of a flaw in their security bulletins without a patch in place. A good example of this could be recently leaked details of EternalDarkness flaw in Microsoft SMB v3. Usually, in such cases vendors are quick to come up with workaround to mitigate the exploitation of the flaw. Learn how you can deploy mitigation scripts to your environment to ensure they stay protected while waiting for a patch.

Include asset criticality in your vulnerability assessment process:

Some assets are more important than others. Since web servers are on the frontier of your network and exposed to the internet, they're low-hanging fruit for hackers. Database servers—which record a wealth of information, like your customers' personal information and payment details—should also be prioritized over other assets when defining the scope of your assessment.

Be cognizant of the impact of vulnerabilities.

Attackers can carry out a denial of service attack, remote code execution, memory corruption, privilege elevation, cross-site scripting, or sensitive data disclosure based on the type of impact a vulnerability has. Solutions that provide filters to view vulnerabilities based on impact type help with identifying which infrastructure components or systems are most vulnerable so you can adopt appropriate security changes in addition to patching the vulnerabilities.

If you're trusting your organization's security with a vulnerability assessment software, make it a rule to see if it classifies and presents the discovered vulnerabilities in a meaningful way, i.e, in the context of the above risk factors, and also provide actionable insights to mend the loopholes, so that you can consistently keep your network secure.

Perform a successful vulnerability assessment with Vulnerability Manager Plus

Vulnerability Manager Plus, being an end to end vulnerability management solution uses a continuously updated database of vulnerability information to help you detect vulnerabilities across your global hybrid IT, assess vulnerabilities based on the risk factors discussed above and facilitates the appropriate course of action to bring closure to vulnerabilities.

It features a score of interactive dashboard that provides you all the intelligence you need regarding vulnerabilities in the form of infographics, trends and other filters to help you make informed decisions. Dive right in to learn in detail how the dashboard infographics could be used to conduct a successful vulnerability assessment.

Furthermore, it offers a detailed resource view that puts vulnerabilities in context such as the asset type, so that you can focus your attention on critical assets like database servers and web servers when prioritize patching.

Also, it offers a dedicated view for zero-day and publicly disclosed vulnerabilities, so that needs immediate attention doesn't get mixed up with less critical flaws.

Once prioritized, you can proceed with suggested course of action, could be either patching in case the patch is available or mitigation workaround in the event that a patch isn’t available.

To get started with Vulnerability Manager Plus, start a free, 30-day trial now.