Assess and Remediate Vulnerabilities: a vulnerability assessment is a systematic review of security weaknesses in an information technology infrastructure, systems, applications, and processes to identify potential weaknesses and gaps that could be exploited by attackers. The goal of a vulnerability assessment is to proactively discover and prioritize vulnerabilities before they can be exploited maliciously.
Vulnerability assessments typically involve using automated tools, such as vulnerability scanners, to scan networks, servers, applications, and other IT assets for known vulnerabilities. Additionally, manual testing and analysis may be performed to identify vulnerabilities that automated tools might miss.
Finding vulnerabilities may seem a complex task reserved for program developers, or hardware manufacturers, but in the context of Security Configuration Management (SCM), this could be as simple as finding misconfigurations that can easily be found by an IT administrator.
Once vulnerabilities are identified, they are usually categorized based on their severity and likelihood of exploitation. This allows organizations to prioritize remediation efforts and allocate resources effectively to address the most critical vulnerabilities first.
The findings of a vulnerability assessment are typically documented in a report, which includes recommendations for mitigating or remedying the identified vulnerabilities to improve the overall security posture of the organization.
How Can Vulnerabilities be Categorized?
According to the exploit impact, the vulnerabilities can be classified as:
- Critical: These vulnerabilities can be exploited to completely compromise a system, steal sensitive data, or cause widespread disruption. They require immediate mitigation.
- High: These vulnerabilities can be exploited to gain significant unauthorized access to a system or cause serious damage. They require prompt attention.
- Medium: These vulnerabilities can be exploited to gain some level of unauthorized access to a system or cause some disruption. They should be addressed in a timely manner.
- Low: These vulnerabilities are unlikely to be exploited on their own but could be used in conjunction with other vulnerabilities. They should be addressed when resources permit.
* Vulnerability classification is not a universally defined term, so other publications may provide different classifications. The important thing to keep in mind is that a value must be assigned to each vulnerability found to establish the risk and the promptness to resolve it.
Can You Give an Example of Vulnerability Assessment?
Let’s suppose that a Windows server 2003 has been found running a marketing web application in an organization.The example assessment for this finding would be as follows:
1. Windows server (server identification here) has been found with OS version Windows server 2003. The vulnerability risk is High.
2. Risks found.
- This OS version is out of support, and it lacks security updates.
- This server is running a web page and it’s exposed to the external network where anyone can reach it.
- Since the OS version is out of support, the likelihood of zero-day vulnerabilities is high.
- Due to that, a hacker might change the advertised information and provide incorrect information to customers, causing reputational damage and perhaps fines.
3. Recommendations.
- Upgrade the OS to Windows Server 2022. IT recommends acquiring new hardware as well.
- Since this server is only hosting a Web site, using a PaaS or SaaS solution form a cloud provider may be a more convenient solution.
- IT analysis has found that the traffic on this server is moderate, as a workaround, this web page can be hosted on server (server identification here). This server has Windows server 2019 installed, and it hosts another moderate traffic web site. Although hosting both sites on the same server may cause a service degradation, this is less risky than keeping the old one alive.
Management and Finance need to evaluate and provide directions.This is a very simple example, it may lack a study of the compatibility of the old Web page with the new OS, and maybe the database, if there´s one running along with the Web page.
It also lacks costs, but it shows what an IT administrator can do to help resolve, without the use of vulnerability scanners, penetration testing, code analysis, etc., that may be out of scope.