Vulnerability Assessment

A vulnerability is a "weakness in any information system, security production, internal controls, or implementation that could be exposed by a threat source" (NIST, 2012, p. 9). Vulnerabilities may result from an improperly configured system (weak passwords, unnecessary ports and protocols, etc.), as well as from missing software patches.

Vulnerability assessments involve the use of tools and processes to identify vulnerabilities present in the systems for which an organization is responsible. A vulnerability assessment identifies errors which could be used by hackers.

Vulnerability assessment is an important part of an organization's overall risk management strategy. Such assessments are conducted to meet governmental regulations and requirements, and to help guide organizational IT security practices, stay on top of emerging security threats, ensure that staff members are using appropriate measures, and to demonstrate to customers that your organization is vigilant on security issues.

One commonly used assessment tool is a vulnerability scanner, used to create a network map or inventory that identifies systems that are functional on a network, as well as their open ports, running services, and operating systems (such as Microsoft Windows 7, Linux, etc.). Once a map has been created, the vulnerability scanner can assess systems with a database of known vulnerabilities.

Other tools and processes used to identify, quantify, and prioritize a system's vulnerabilities include network discovery, network port and service identification, documentation and log review, integrity checking, or a combination of several methods.

References

National Institute of Standards and Technology (NIST). (2012, September). Special publication 800-30, revision 1: Guide for conducting risk assessments. http://dx.doi.org/10.6028/NIST.SP.800-30r1

Check Your Knowledge

Choose the best answer to each question:

Question 1
What is the purpose of a vulnerability assessment?
to meet governmental regulations and requirements
to ensure that staff members are using appropriate measures
to demonstrate to customers that your organization takes security seriously
to meet governmental regulations and requirements, to demonstrate to customers that your organization takes security seriously, and to ensure that staff members are using appropriate measures
Question 2
True or false? A vulnerability assessment is only useful if government regulations require it.
True
False
Question 3
A weakness in a system that may possibly be exploited is called a(n)?
corrective control
risk assessment
vulnerability
physical controls
Question 4
All of the following are tools and processes used to identify, quantify, and prioritize a system's vulnerabilities:
network discovery, network port and service identification, documentation and log review, integrity checking, or a combination of several methods
network discovery, network port and service identification, documentation and log review, integrity checking, exigent circumstance doctrine
network discovery, network port and service identification, documentation and log review, integrity checking, exigent circumstance doctrine, separation of duties
network discovery, network port and service identification, documentation and log review, integrity checking, collusion, job rotation, or a combination of several methods
Question 5
What is the purpose of the vulnerability scanner?
to create an environment where two or more people cannot conspire to commit an illicit act
to induce an individual to make inappropriate security decisions
to create a network map or inventory, which identifies systems that are functional on a network, as well as their open ports, running services, and operating systems.
to network discovery, network port and service identification, documentation and log review, integrity checking, or a combination of several methods.