Vulnerability Assessment
Vulnerability Assessment or VA is nothing but a testing a system or application to find the weakness/ flaw/ gap/ loop hole or vulnerability point through which a cyber attack can be possible.
The assessment shows the gaps, so that the security team can fix the gap in time. Through this vulnerability assessment the severity of the vulnerability can be identified such as Critical, High, Moderate or low.
There are four stages of Vulnerability Assessment.
- Collection of Assets/ Asset Discovery / Map all the end point
- Run Vulnerability Assessment through specific licensed tools to the target host.
- After identification, classification of the vulnerability based on criticality and priority level.
- Prepare a detailed report with remediation plan.
Besides the above stages there can a fifth stage like continuous monitoring with a regular scan. A regular vulnerability assessment helps organizations to identify and fix their flaws and can improve the organization security posture.
An application level assessment helps in determining vulnerabilities within web applications that are hosted within or outside organization premise. Applications can be accessed through Dynamic Analysis (DAST), static analysis (SAST), Interactive analysis (IAST) and software composition analysis (SCA).
The Severity score can be calculated through CVSS (Common Vulnerability Scoring System) which represents a qualitative risk analysis and provides numerical (0-10) scoring system such as
9.0-10.0- critical
7.0-8.9- High
4.0-6.9- Moderate
0.1-3.9- Low
So below are factors are those taken in to consideration while generating the CVSS score:
- Attack Vector
- Attack Complexity
- Privilege Level
- Confidentiality
- Integrity
- Availability
Vulnerabilities are represented by CVE Score (Common Vulnerability Exposure) which is a database of all common vulnerabilities identified across globe.
For example:
CVE-2019-1255
CVE: Prefix
2019: Year of discovery
1255: code
Description: A denial of service vulnerability exists in Microsoft defender improperly handles files.
All CVEs can be found and further referred at below portal.
https://cve.mitre.org/
Benefits
- It prevents organizations from cyber attack such as virus/malware attacks, data breach, DDoS attack, SQL injection, XSS attack, Code injection etc.
- Take remediation action to any loopholes and gaps.
- Meet cyber security compliance and regulatory requirement.
There are many types of Vulnerability assessment carried out across globe with different automated tools.
- Network Based Scan
- Host based Scan
- Wireless network Scan
- Database Scan
- Application Scan
- Container Scan
- Credentialed and non-credentialed Scan
- External Scan / Internal Scan
Tools available in the market are
- Netsparker
- OpenVAS
- Acunetix
- Aircrack
- Nessus
- Qualys
- Solarwind network vulnerability scanner
- Nikto
- Wireshark
- Intruder
- Rapid7
It is known that around 60% of data breach happens due to unpatched vulnerabilities. It improves operational efficiency as well as it will establish a faster mechanism to mitigate exploits.
Image Source: (https://www.manageengine.com/vulnerability-management/images/vulnerability-assessment-steps.jpg)
For more details you can follow below reference links.
https://www.beyondtrust.com/resources/glossary/vulnerability-assessment
https://www.imperva.com/learn/application-security/vulnerability-assessment/
If you like this post, please comment and share it.
-DR
