Periodic Vulnerability assessment can be a strong step in the entire effort to keep business away from cyber-attacks. It can not only serve as a feedback to existing efforts but also point out the areas which are particularly weak and needs further attention. This helps in measuring the current expenditure and need to evaluate and consider advanced products.
Gartner in its ‘Security and Risk Management Scenario Planning, 2020’ has evaluated an aggravating investigation. “By 2020, 30% of Global 2000 organizations will have been specifically traded off by an autonomous gathering of digital activists or digital culprits. This expectation isn’t shocking, considering the way that driving danger pointers are hard to recognize when the association’s digital adversaries, including their procedure, abilities, and activities, are obscure.”
How to go about Vulnerability assessment?
There can be various ways in which the VA can be undertaken depending on the nature of business and company processes but there are some common grounds-
- Get to know your business process- getting to know the business process helps prioritize the security points in terms of sensitivity and criticality. It is important because it helps to evaluate the product or service to be deployed.
- Look inside- understanding of core infrastructure is critical and very important. This helps to ensure seamless service based on business needs.
- Assess the cloud as well as hardware infrastructure- This is particularly interesting because currently a hybrid model exist at most companies and it is important to keep processes running fluidly without compromising the security
- Identifying critical data sources- understanding the business process and the critical data points is crucial to identify is vulnerabilities exist in that part of the system.
Vulnerability assessment must be done as a continuous process. But there are lots of gaps because most security executives are not aware of everything that exists in their environment. For example, Operation Tropic Trooper was a series of attacks on Philippines and Taiwan that specifically targeted Microsoft Office 2003 by exploiting vulnerabilities that were three-to-five years old. It’s a classic example of not knowing what lies in your infrastructure and how those vulnerabilities can be exploited.
Today’s attackers are not going after perimeter but after endpoints. Suspicious email or communication laden with vulnerability gets clicked by an unaware user, which then passes across the company’s security perimeter.
Logix Infosecurity helps companies undertake vulnerability assessments, red teaming exercises to make continuously improve the security at the company.