Security Vulnerability Assessment
The key to any effective enterprise security program is to understand the extent and types of risk your organization is willing to assume. Vulnerabilities are the channel between threats and assets. Assessing the vulnerabilities that expose your company’s assets to elevated risk is a challenging mission. It is a critical component of your organization’s overall risk-management program.
This article provides the information that security professionals need to launch vulnerability assessment projects and initiate the risk analysis process. We also review tools that may be used for security vulnerability assessments.
The Risk Management Context
Depending on the complexity of your organization, performing responsible risk-management due diligence involves a number of tasks:
- Develop a clear understanding of your organization’s core mission, objectives and policies.
- Establish a program to educate senior leaders about information technology risk management.
- Identify and inventory all relevant corporate assets.
- Assess and document vulnerabilities.
- Ensure that senior leaders are aware of these vulnerabilities.
- Solicit input from all decision makers involved in risk-management activities.
- Review and update all relevant security policies (document them if they were not formally published).
Once a rational security policy foundation is in place, it is the foundation for the procedures and technologies used to mitigate risks to vulnerable data and associated systems. This process is referred to as risk management.
Risk analysis is a process whereby relevant assets and relevant threats are identified and cost-effective security and control measures are identified or engineered in order to effectively balance the costs of various security, risk-mitigation and control measures against the losses that would be expected if these measures were not in place. Threats and risks are real. Each entity needs to identify and prioritize risks and threats. We genuinely need to be compulsive about managing risk.
A thorough risk assessment should identify the system vulnerabilities, threats and current controls and attempt to determine the risk based on the likelihood and threat impact. These risks should then be assessed and a risk level assigned, such as high, medium or low.
A risk analysis determines what needs to be protected—for example, sensitive business assets and information—what the possible threats are and what the vulnerabilities are. It then determines the likelihood of various security incidents and their impact on the organization.
The key to any effective security program is to understand the risk level in the organization and then to determine how to effectively mitigate that risk. This requires identifying the data that your organization needs to protect and where that data lives and moves. This then provides the basis for security policies, practices and technologies to protect all such data, such as electronic protected health information.
Risk analysis requires understanding the core business functions of the enterprise and then analyzing potential threats and vulnerabilities to assets and information. It helps identify critical business assets and associated risks.
The end result of the risk-analysis process should be a list of vulnerabilities that identify gaps in the security infrastructure that may be exploited. The threat to the infrastructure is serious. CIO Magazine reported that in December 2002, hard drives that contained more than 500,000 social security numbers of members were stolen from the Phoenix office of TriWest, a managed care provider serving the military. This breach resulted in a class action suit.
Business Security Goals
Security professionals understand that business leaders are driven by shareholders, customers, lenders, regulators, lawmakers and others to:
- Ensure the confidentiality, integrity and availability of all sensitive business information, including its creation, receipt, storage and transmission.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information.
- Ensure compliance with the security policy by all members of the organization’s workforce.
The purposes of a security vulnerability assessment include:
- To assess security technology capabilities as they relate to business objectives.
- To determine security technology limitations (gaps), as they exist today.
- To understand dissonance between business processes and systems and the IT systems and infrastructure.
- To identify business risks, security requirements and possible vulnerabilities from the business unit’s perspective.
- To identify technical risks, security requirements and possible vulnerabilities from the business unit’s and/or IT personnel’s perspectives.
Businesses need to periodically assess the information security infrastructure with a specific focus on identification of significant vulnerabilities to sensitive systems and data. Once the vulnerabilities have been identified, the risk from these needs to be analyzed and the costs associated with mitigating these risks needs to be determined.
Vulnerability Assessment Tools
A number of tools may be used in assessing the vulnerability of an organization’s systems and networks. Examples of tools that may be used for risk analysis and vulnerability assessment include (but are not limited to): SamSpade Tools, Nmap, Nessus Vulnerability Scanner, Microsoft Baseline Security Analyzer, QualysGuard, STAT Scanner and ISS Internet Scanner. Security professionals need to be familiar with using these tools and understand their capabilities for functions such as reporting.
There are other scanning and testing tools that may also be run to determine gaps in the enterprise security architecture. These tools fall into the following categories:
- Web Server Vulnerability Scanners: These tools look for common vulnerable scripts and files within Web sites. Hacking Web applications is quickly growing in popularity.
- Network Sniffers: These tools may be used to examine traffic in and out of the network to look for instances where passwords or important information is sent unencrypted.
- War Dialers: These may be used to search for rogue modems on systems.
- Wireless Tools: These may be used to search for rogue access points and to determine the difficulty with which someone outside the company could connect to the wireless network.
Remember that vulnerability assessment tools are simply snapshots of your network. The processes governing access to technology and information are often the most vulnerable to exploitation. When an individual calls a support engineer, administrator or database analyst for access to confidential information, are there processes and controls in place to ensure that only appropriate access is granted? Are there alerts when an individual’s access-control activities violate policy? Are there frequent reports and audit trails in place to track process compliance? It is also important to carefully manage physical and software changes so that vulnerabilities are not injected into your procedural and technical infrastructure. Remain attentive in your use of anti-virus systems throughout the infrastructure.
All of the vulnerability assessment tools mentioned in this article can be misused. Even without misuse, they can impair or interrupt communications or corrupt information held in your networked systems. Learn how to use your vulnerability assessment