Companies often conduct a security vulnerability assessment when they come to the realization that they are not where they need to be when it comes to securing their computer network and/or technology resources. Typically, the vulnerability assessment results in a prioritized list of found vulnerabilities and the methods that the business needs to use in order to remediate them. But just how do you go about coming up with that list?
Start with your business processes
Before you start looking for vulnerabilities, you need to know what is most vulnerable to your business. An effective assessment will start with understanding your organization’s business processes and then focusing on the ones that your company relies on not only to maintain operations, but also those required by compliance and regulatory needs. This does not mean that anything else should be ignored; all other business processes will just not have the same priority level.
Once you have an understanding of all of your business processes, you need to identify the applications and data that they all rely on. Again, all applications and data stores are important to identify, but those that support business-critical processes are the ones that you should make the highest priority.
Understand the network and supporting hardware
The next phase is to look at the infrastructure that your business runs on. Identify all of your servers, both physical and virtual, making note of the ones that support your most critical applications and data. Once your servers have been identified, start mapping out the rest of your network in order to get an understanding of the networking hardware that supports your organization along with all of the end points that connect to your resources.
Find out what security is in place
Now you need to identify what technical controls you currently have in place. This includes firewalls, intrusion detection/prevention systems, virtual private networks, end-point security, anti-virus applications, backup and recovery solutions, and anything else in place to help protect your network and your resources. This includes any policies that govern acceptable use, passwords, etc.
Scan based on priority
Starting with the software and supporting hardware that support the most critical applications and data, you can now start scanning for vulnerabilities. Some companies will opt to run these scans with an automated tool that looks for known vulnerabilities, while some will choose to have a team of individuals look for vulnerabilities manually. Another approach is to use a hybrid of the two methods in order to provide greater coverage.
While it may be tempting to focus only on the highest-priority items on your list, don’t ignore those at the bottom. Attackers look for the weakest link and only need that entry point in order to begin moving around your network until they can find what they are looking for. That weakest link may be something low on your list, and ignoring it could eventually lead to the exposure of sensitive data.
Once you have identified where your organization is vulnerable, it’s time to start fixing things. Some of these fixes may be as simple as applying the latest security patches to your software or systems, while some may require greater technical knowledge and configuration experience that your team may not have.
Typically, organizations will rely on outside help when running a security vulnerability assessment. Oftentimes, this gives a more unbiased look at where the organization is most susceptible. Not only that, but the scans are performed by experienced industry experts who know what to look for and know how to best help remediate the vulnerabilities that they find.