June 29, 2020
Network vulnerability assessments are a means of protecting an organization from cyber security threats. These routine assessments will identify potential weaknesses in network security throughout an organization.
Keep in mind that there are physical (e.g. people, devices) and nonphysical (e.g. software) vulnerabilities that a network vulnerability assessment is designed to help scan and protect.
What exactly is a "vulnerability" though?
The International Organization for Standardization (ISO) defines a vulnerability as, "a weakness of an asset or group of assets that can be exploited by one or more threats, where an asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization's mission."
Why Is A Vulnerability Assessment Important?
When left unchecked, vulnerabilities can and will be exploited by a threat. In order to understand why a network vulnerability assessment is important, let's first look at the classes of vulnerabilities in assets outlined by the ISO, so that there's context and perspective.
There are hardware susceptibilities like humidity, dust, soiling, and (notably) unprotected storage, which can be accessed and exploited by malicious actors.
There are software susceptibilities like insufficient testing, lack of audit trails, and design flaws.
There are network susceptibilities like unprotected communication lines and insecure network architecture.
There are personnel susceptibilities that stem from inadequate recruiting processes and inadequate security awareness.
There are physical site vulnerabilities like flooding susceptibility and unreliable power sources.
Finally, there are organizational vulnerabilities like lack of audits, continuity plans, and security.
A network vulnerability assessment will gauge all the possible weaknesses in cyber security systems, ranging from access to server rooms to installation of software to remote devices accessing and interfacing with a network. It'll depend on the organization's individual footprint, ecosystem, and workflow, but there are common themes that shed light on overlooked problems that can be addressed.
How Can A Proper Vulnerability Assessment Help Your Company?
Consider the process of a vulnerability assessment.
Generally speaking, you gather an understanding of what needs to be examined, analyzed, vetted, or otherwise combed through manually or automatically. There will be systems, networks, and devices that should be listed out, with their respective sensitive data.
Applications, mobile devices, PCs, whatever it may be that has access to data, add it to that list. Think about servers. Think about network infrastructure. Think about how your data gets from here to there, so to speak, and where it's accessed along the way.
All those assets will then need to be categorized into groups or business units and assigned value based on how critical they are to the organization. After all assets are identified and categorized, a baseline risk profile is developed to ensure that you can eliminate risks that meet a certain threshold.
Then, you move into a phase of scanning. This could be quite literally alarming if it's the first assessment. Risks are always present. None of us is as safe as we think we are. There are holes in our armor just outside our visibility. An assessment will find those holes. Those who are responsible for the assessment will do what's necessary to search through every nook and cranny to determine how to protect the organization.
The assessment will require manually scanning the system or network by trained professionals or automatically scanning by software with access to a database of security flaws and weaknesses. Notably, the scan will be in compliance to the company's industry and applicable laws, e.g. healthcare.
Next Step After Network Assessment?
After the assessment, there will be findings to consider. Reporting is a critical aspect of any network vulnerability assessment because it'll determine the course of action, remediation, and training required to ensure all access points, staff, and other forms of vulnerabilities are appropriately aligned with proper security protocol.
The assessment, essentially, will result in a list of recommendations to ensure the longevity and security of business functions and workflows as they relate to data management and access.
The report will identify possible vulnerabilities, their level of risk, and the potential threat they cause to the organization and its various internal and external stakeholders. According to the CDC, it'll document a security plan, monitor suspicious activity, and describe all known vulnerabilities.
From there, things are repaired and addressed, but once a remediation phase is complete, it's critical that follow-up audits verify that vulnerabilities have been adequately addressed.
In summary, a network vulnerability assessment will include documentation of all possible ways that data can be accessed, discover whether and how many vulnerabilities exist, establish why they're a threat to the business, outline how these vulnerabilities can be distinguished, remove the vulnerabilities, and subsequently audit results to ensure vulnerabilities have been thoroughly addressed.
The benefit is a secure business, a secure environment, and a secure group of stakeholders.