Companies are getting breached at a record rate all over the world because hackers are taking advantage of software vulnerabilities. One of the most important tools you have to protect yourself is a vulnerability assessment. A vulnerability assessment is essential for reducing risk because it gives you the power to find software flaws before they can be exploited by bad actors.
Hacking is an industry in itself and is very lucrative. There are basically two models in the hacking business, the private model and the nation-state model. The private model is organized, it’s complex and well-funded. Some hackers even offer technical support to their client base. They create their cash flow from either stolen or ransomed information.
The nation-state model is just as aggressive and may or may not be after the same information as the private sector. They have unlimited resources and are focused on stealing information and/or creating disruption.
Hackers by the thousands are scanning the internet 24x7x365 looking for software security gaps. If there is any doubt about how massive their efforts are, look at any internet connection either at home or the office and there will be hundreds or even thousands of queries pinging a connection daily.
Once they find a system flaw, it’s logged into a database of similar flaws. When they hit the number of flaws they’re looking for, they either start the attack or they will offer their findings to the dark web marketplace.
Security flaws or software vulnerabilities come in a couple of different forms. Either it is a software bug or it’s a configuration error that was created during installation.
An Attack Illustration
Cyberattacks come in a few different ways. One way is to capture or guess a user’s credentials and use them to access user files.
Another way they get in is to find a software vulnerability that hasn’t been repaired and take advantage of it. A notable example from this past year was the Microsoft Exchange Zero-Day attack. These vulnerabilities provided access to a system without the need for a username and password. Once a hacker got in, they were able to inject their own software into the system which gave them the ability to move around at will. If they found files they wanted, they either stole them or encrypted them.
A third way they access a system is to use email phishing attacks that bait a victim to do something unknowingly, whether it’s installing a malware payload or clicking a link that takes them to a malicious website that downloads malware to their device.
All of us are under daily attacks and the best way to protect ourselves is to find these software vulnerabilities and fix them before they can be used against us.
A vulnerability assessment is important because it is an essential tool in the ongoing effort to combat hackers. The assessment demonstrates vigilance and is composed of three parts: the inventory, the vulnerability scan itself, and the reporting. A vulnerability assessment is essential for creating a roadmap for prioritizing and repairing software vulnerabilities.
The first step of an assessment is to run a scan on the network to find out just exactly what devices are plugged into it. It might be a surprise, but many times there are devices on a network that are unaccounted for.
The next step is a scan that looks for software vulnerabilities that match the tens of thousands of known vulnerabilities published by vendors. When it finds one, it’s logged, and it moves on.
A typical business of 100 employees will have between 10 – 25 servers and any number of workstations, switches, routers, etc. A single scan at any given time can find between 5,000 – 7,000 vulnerabilities on the network. These numbers are mind-boggling, but the good news is that not all of these vulnerabilities pose an immediate risk.
The assessment software can even be configured to address user preferences. Since some flaws are riskier than others, findings can be filtered and prioritized. Relevant weighting factors may include
- Is the device exposed to the internet?
- If a flaw is used for an attack, does it require login credentials?
- Does the risk require the perpetrator to work on the system itself? or
- Does the risk require malware to function?
An example of a custom report is one that only shows critical vulnerabilities with known exploits in the wild which can be exploited over the network. A report like this can provide an administrator with a subset of exploits that can be immediately addressed. Assessments should be run on a regular basis, otherwise, exploits will stack up awaiting attention. Remember the goal is to decrease risk and improve the organizational security posture every day. This can only be done if vulnerabilities are being addressed on a regular basis.
For more information, send us an email by clicking here.