Vulnerability Assessment : What You Need To Know


The term Vulnerability Assessment is often thrown around for a variety of cyber security procedures.

While it is an industry term that encompasses a large area, it’s less complicated than most “experts” make it.

Today, we’ll walk through what you need to know about Vulnerability Assessments to get started and answer these questions:

  • What is a Vulnerability Assessment?

  • Vulnerability Assessment vs Penetration Test?

  • When does your organization need a Vulnerability Assessment?

  • How to do a Vulnerability Assessment?

  • What should it include?

  • What deliverables should you have in the end?

  • Can you do a Vulnerability Assessment in house or should you hire a firm?

What is a Vulnerability Assessment?

Wikipedia defines it as:

A Vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.

In cyber security, a Vulnerability Assessment is the process of performing a review of your network and systems against cyber security standards. This focus can be either on your entire network, or a specific area. The assessment then assigns a priority and criticality to each issue.

A good Vulnerability Assessment will be your guide on where to focus your cyber security efforts!

But we had a Penetration Test last year?

A Penetration Test is ONE type of Vulnerability Assessment. However, it is typically focused on professionals trying to find ONE way to break into your systems. Usually, once the Pen Testers break in, the CIO calls off the exercise since they proved your systems could be breached. However, some of Roka’s Customers do want their Penetration Test to continue to see every vulnerability we can find.

Penetration testing and Vulnerability Assessments are not the same thing.

So I don’t need a Penetration Test if I get a Vulnerability Assessment?

Now, I didn’t say that. In our Pen Test article, “6 Things to Know Before Starting a Pen Test”, we talk about the various reasons you need a penetration test, including regulatory requirements. Think of a Penetration Test like your college final and your Vulnerability Assessment report is like your syllabus for what to study over the semester.

You wouldn’t take a final exam without studying, so why would you pay for a Penetration Test without doing a Vulnerability Assessment of your network first?

Why do we need a Vulnerability Assessment?

Simple, hackers are continuously conducting Vulnerability Assessments on your network without your permission. Shouldn’t you do one too?

You NEED to know if parts of your network are lacking in security.

When do we need a Vulnerability Assessment?

The answer to this depends on a few factors:

Never conducted a Vulnerability Assessment?

Now… the answer is you need one Now.

Small business using mostly SAS services

Assuming you don’t add too many internal devices, a small assessment every year should suffice. This takes a few people about a day or less.

Small Business with a number of internal services and equipment

Every year, schedule about two days for a vulnerability assessment. Seriously, it’s just good housekeeping. Use it as a time to say, “let’s review what we’ve changed.” Make it about more than just security.

Medium Business

Annually, with small vulnerability assessment items when you follow your process to add new gear. That is to say, when you add a new service, server, or network equipment, as part of your process spend some time to assess how the device or system will affect over all system security. This will make your annual review take just a few hours instead of it being a huge ordeal each year.

Large Business

Annually, with quick quarterly reviews. Each project should have its own small vulnerability assessment section. I’m talking about a quick review for small projects and a proper review for large systems, i.e. building a 200 node cluster should probably have a decent Vulnerability Assessment.

The Process of the Vulnerability Assessment

At Roka Security, we like to start our vulnerability assessment checklist from the internet connection and move down to the end user. It’s a methodical approach designed to ensure we hit each topic. Here are the vulnerability assessment steps we cover in our process and their order.

A good vulnerability assessment will follow a comprehensive step by step process.

Connection to the Internet

In order for a hacker, ransomware or malware to communicate home, they need access to the Internet. That’s why we start here, if your connection to the Internet isn’t secure, the rest of your security is going to be an uphill battle.

This will include topics such as:

  • Firewall Configuration and Review

  • IDS IPS (Intrusion Detection or Prevention Systems)

  • Do you have a Proxy or other URL filtering device?

  • Rules of traffic flow and inspection

External Services

What do you have open to the Internet for the world to see. Seriously, go through each service that has ports open to the Internet. Services such as:

  • Email Server

  • Web Servers

  • Customer Portals

If you use SAS for these items, it’s going to be a quick review. Just make sure you pick a good secure SAS.

Intranet Services and Connectivity

Now we’re getting to the heart of the matter. How secure is your internal network? You should be asking questions such as:

  • Can any user remote desktop to the sensitive server, or only admins?

  • Did we update and change passwords on that old network device?

  • Do we have centralized logs to help when there is a breach?

Domain Policy Review

Bah.. I know, BORING, but a checkup of your domain settings and Global Policies is crucial for your security. You will be surprised what’s been lingering for years!

Server and Workstation Review

Checking on how your servers are built out and making a standard will save a great deal of time during this part. Major important issues to cover should include:

  • Do machines utilize centralized authentication?

  • Are servers logging to centralized logging server?

  • You are running anti-malware and AV right? Right??

It’s not all about the Tech

You need to interview at least some of your people. All of the security tech in the world isn’t worth anything if your people just find ways around it. You need to do a people policy review including password life, who can do what, least privilege understanding, etc.

Deliverables: What should you have in the end?

Whether you did everything in house or outsourced to a security firm, you’ve done the work, now make sure it’s documented!

Executive Summary

The powers that be are going to want to see what all the fuss was about. Don’t get into the weeds; whether it’s good or bad news, keep it concise and to the point. The excecutive summary needs to let the bosses know:

  • Things are good or bad, ore more importantly “Not as Bad as we thought!”
  • It will take X days to fix things or be compliant.
  • IT needs Y amount of money to be up to spec.

Comprehensive report

Ideally this report should be against a security framework like NIST 800-53, NIST 800-171, CIS Critical Security Controls, or ISO. When Roka Com performs a Vulnerability Assessment for a client we like the following format:

  • Current state of your network

  • Top 10 biggest bang for your buck improvements now

  • Equipment or services you need to purchase

  • Matrix list of issues against security framework

  • Longer term goals

Use this to justify your budget!

This is everything you need to show management that you REALLY need to upgrade that equipment or hire more staff. Compliance violations are no joke and can end up costing way more than a new switch or the upgrade to VMWare.

In House or Outsource?

Whether you did everything in house or outsourced to a security firm, you’ve done the work, now make sure it’s documented!

  • Do your people have the skills to perform the self-assessment?

  • Will you get an honest self-assessment? Not that people will lie, but omissions occur when people are worried it will impact their raise or bonus.

  • Will it save time and money to outsource to experts?

  • Do your regulations require you to have a third party perform the assessment?

Can’t I just use a Vulnerability Assessment Template?

That’s really what the NIST and other frameworks are. The same questions apply though, do you have the skill in house to understand the template and framework and work through it correctly? Chances are, if you’re asking this question, you don’t have the skills in house.

About Patrick Stump

The CEO and founder of Roka Com, Patrick has been a key player in both offensive cyber intrusion and security operations with multiple branches and agencies of the United States Government (USG), the military, and commercial industry.

Connect with Patrick on LinkedIn