A vulnerability is a "weakness in any information system, security production, internal controls, or implementation that could be exposed by a threat source" (NIST, 2012, p. 9). Vulnerabilities may result from an improperly configured system (weak passwords, unnecessary ports and protocols, etc.), as well as from missing software patches.
Vulnerability assessments involve the use of tools and processes to identify vulnerabilities present in the systems for which an organization is responsible. A vulnerability assessment identifies errors which could be used by hackers.
Vulnerability assessment is an important part of an organization's overall risk management strategy. Such assessments are conducted to meet governmental regulations and requirements, and to help guide organizational IT security practices, stay on top of emerging security threats, ensure that staff members are using appropriate measures, and to demonstrate to customers that your organization is vigilant on security issues.
One commonly used assessment tool is a vulnerability scanner, used to create a network map or inventory that identifies systems that are functional on a network, as well as their open ports, running services, and operating systems (such as Microsoft Windows 7, Linux, etc.). Once a map has been created, the vulnerability scanner can assess systems with a database of known vulnerabilities.
Other tools and processes used to identify, quantify, and prioritize a system's vulnerabilities include network discovery, network port and service identification, documentation and log review, integrity checking, or a combination of several methods.
National Institute of Standards and Technology (NIST). (2012, September). Special publication 800-30, revision 1: Guide for conducting risk assessments. http://dx.doi.org/10.6028/NIST.SP.800-30r1
- Read chapters 2 and 4 of NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
Check Your Knowledge
Choose the best answer to each question: