Information Security Today Home

New Books

Vulnerability Management by Park Foreman; ISBN 9781439801505
Securing an IT Organization through Governance, Risk Management, and Audit by Ken E. Sigler and James L. Rainey, III; ISBN 9781498737319
Honeypots and Routers: Collecting Internet Attacks by Mohssen Mohammed and Habib-ur Rehman; ISBN 9781498702195
Ethical Hacking and Penetration Testing Guide by Rafay Baloch; ISBN 9781482231618
Securing Systems: Applied Security Architecture and Threat Models by Brook S. E. Schoenfield; ISBN 9781482233971
CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits by James S. Tiller; ISBN 9781439880272

Making Vulnerability Assessments a Priority in 2016

By Jay Atkinson

The vulnerability assessment of an organization's applications and data is critical given the increasing number of automated and targeted attacks. Businesses must proactively identify potential vulnerabilities to prevent breaches. Two highly-effective ways to identify vulnerabilities are vulnerability scanning and penetration testing.

Nearly three-quarters of websites have vulnerabilities that could lead to the theft of sensitive organizational data. Hackers tend to focus their efforts on web-based applications that contain Personally Identifiable Information (PII) available on shopping carts, forms and login pages. Accessible 24/7, 365 days a year, from anywhere in the world, insecure web applications provide easy access to backed corporate databases and allow hackers to perform illegal activities using the compromised site.

In an effort to help companies prepare against potential attacks, the National Institute of Standards and Technology's Computer Security Division, sponsored by the Department of Homeland Security's National Cyber Security Division, maintains the National Vulnerability Database (NVD). As of April 2014, there were more than 50,000 vulnerabilities recorded in the NVD database.

Businesses that store PII must employ the latest methods to decrease the ways attackers can exploit security defects and attack their systems.

What Is a Vulnerability Scanner?

A vulnerability scanner is a software application that is developed to specifically map systems and search for vulnerabilities in a network, computer or program. A thorough vulnerability scan involves the examination of running applications, operating systems (OS), open ports, and active IP addresses.

What Is a Penetration Test?

A penetration test is a staged attack that exploits a vulnerability so that a tester can gain access to systems and data. Because penetration testing actually attempts to duplicate the same tactics hackers use to gain entry into network systems, it is one of the most robust ways for a business to locate system weaknesses and patch them before it gets hacked. The tester will run a full scan of the business’ internal and external network. Once all potential vulnerabilities have been discovered, they attempt to hack the domain from one of those exploits. The penetration test will then provide a full report of all vulnerabilities, how to fix them and what systems were accessed without permission. A penetration test should be performed annually by an independent third party.

After the examination, a business' IT department can use this information to strengthen the security on the network and applications, with the goal of reducing the risk of an actual attack.

Why Vulnerability Assessments?

In most cases there are two motivating factors for a business to scan for vulnerabilities.

  1. Regulatory requirements: These include PCI, Sarbanes Oxley, HIPPA and others that require businesses in those specific industries to certify that their client's information is secure from outside malicious threats.
  2. Network changes and software updates: Every time a business adds new hardware, changes network configurations, installs new software or performs major upgrades, it risks exposing its network unknowingly.

After a business decides to test for vulnerabilities, it typically will outsource a service provider to scan for potential errors in security setup, misconfigurations, and regulatory compliance. If an error is found, the service provider logs the error, and continues to search for other errors. And if vulnerabilities are found, they are usually placed into risk categories--High Risk, Medium Risk and Low Risk--for the sake of prioritizing responses and eliminating the higher risks first.

Along with running regular antivirus updates and applying necessary security patches, a vulnerability assessment should be regularly scheduled. It will help the organization identify weaknesses in its network security before attacks can occur.

Checklist: How To Minimize Vulnerability
1. Keep operating systems up-to-date
2. Update a computer program or data with patches
3. Standardize the application software
4. Block third-party cookies and pop-ups in web browsers
5. Delete caches more often
6. Use sophisticated passwords
7. Monitor sharing
8. Encrypt sensitive data
9. Manage alerts
10. Quantify risks and soft spots

About the Author

Jay Atkinson is CEO of AIS Network, a high-compliance, secure cloud-hosting expert serving large enterprises in the education, government, and health care industries, and the Commonwealth of Virginia.

Subscribe to
Information Security Today

Bookmark and Share

© Copyright 2016 Auerbach Publications