Identifying Security Risks by Conducting Vulnerability Assessments

What is Vulnerability Assessments and why do you need it?

Thousands of security vulnerabilities are discovered every year in software, systems and IT infrastructures. Attackers exploit these vulnerabilities to penetrate the communications networks of organizations and gain access to critical assets for the purpose of harming confidentiality, integrity and availability of data or systems. The motives for the attacks vary, and include, amongst other things, financial, political and competitive motives (e.g. theft of technology) or a desire to cause harm (e.g. by an angry employee).

Because security vulnerabilities can cause great damage, it is essential for companies to identify and remediate them before they can be exploited.

Vulnerability Assessment is a type of security review conducted by cyber security experts, which includes interviews with key personnel, hands-on configuration tests and various non-destructive attack simulations or other tests, carried out against components in the network. The aim is to examine the organization’s adherence to security best practices and identify security vulnerabilities.

The Vulnerability Assessment provide a holistic view of the network’s security level, presenting the threats and risks to which the network is exposed and providing recommendations for improving the technical (logical), operational (physical) and administrative security controls related to securing the corporate assets.

Testing Approach

Depending on the scope of the test and the sensitivity of the assets under examination, the Vulnerability Assessment can be performed using a black/grey/white box security assessment approaches.

  • Black-Box security testing is an approach in which the organization shares minimal information about the internal functionality of the system/network been examined.
  • Grey-Box security testing is an approach in which the organization shares information about the internal functionality of the system/network, such as design documents, along with information on the system/network architecture as well as user credentials.
  • White-Box security testing is an approach in which the organization shares as much information as possible about the internal functionality of the system/network such as design documents along with information on the architecture, user credentials for the application/network devices, etc.

Test Phases and Scope

The Vulnerability Assessment of the corporate network is comprised of the following key phases:

During a vulnerability Assessment, the security controls in the following areas are examined in order to identity any security weaknesses that could jeopardize the confidentiality, integrity and availability of the corporate assets:

Risk Level Evaluation

The impact and likelihood of each vulnerability that has been found, is examined in order to determine whether it poses a risk to the organization / system and what is the level of that risk.

Impact - Represents the estimated amount of damage that exploitation of the finding could cause.

The following parameters are taken into account when determining the impact level:

  • Impact Area:
    • Impact on Confidentiality (Information disclosure, data leakage).
    • Impact on Integrity (Data alteration, data deletion).
    • Impact on Availability (Denial of service, system failure).
    • Impact on Non-Repudiation (Lack of audit trail).
  • Impact Type:
    • Tangible damage (financial/monetary).
    • Intangible damage (e.g. reputation, public trust).

Likelihood - Represents the probability of exploiting the vulnerability.

The following parameters are taken into account when determining the likelihood level:

  • Knowledge required (technical depth, skills, complexity of exploitation).
  • Frequency of occurrence (number of known similar attacks which have occurred).
  • CVEs and tools available in the wild (Existing vulnerabilities and attack tools).
  • Attacker Appetite (Attacker motivation for attacking system/company).
  • Security controls in place (Administrative/operational/technical controls).

The risk for each finding is calculated based on taking the Impact and Likelihood levels of the finding and computing the risk level based on the risk matrix used by the assessed company.

Report

The final stage of the assessment is the writing of a report. This includes writing an executive summary describing the work which was performed and its main findings, as well as an in-depth description of all of the vulnerabilities that were noted including an explanation of the potential damage that could result from the exploitation of the vulnerability and how likely it is to be exploited.

All findings are rated according to risk and accompanied by a clear set of recommendations for mitigating the finding.

Baruch Menahem (InfoSec Strategy Manager at COMSEC)