What is Vulnerability Assessment?
Vulnerability Assessment is a method of systematic analyzing the security status of Information
Vulnerability assessment is the process of defining, identifying, classifying and prioritizing
vulnerabilities in computer systems, applications and network infrastructures while providing
the organization doing the assessment with the necessary knowledge, awareness and risk
background to understand the threats to its environment and act appropriately.
A vulnerability is any mistake or weakness in the system security procedures, design,
implementation or any internal controls that may result in the breach of the system's security
policy. In other words, the chance for intruders (hackers) to get unauthorized access.
A vulnerability assessment process is intended to identify threats and the risks they pose.
Typically, it involves the use of automated testing tools, such as network security scanners,
whose results are listed in a vulnerability assessment report.
Why perform a Vulnerability Assessment?
It is important for the security of the organization.
By locating and reporting the vulnerabilities, it provides a way to detect and resolve
security problems by ranking the vulnerabilities before someone or something can
In this process operating systems, application software and networks are scanned to
identify the existence of vulnerabilities, which include inappropriate software design,
insecure authentication, etc.
Examples of threats that can be prevented by vulnerability assessment include:
1. SQL injection, XSS and other code injection attacks.
2. Escalation of privileges due to faulty authentication mechanisms.
3. Insecure defaults – software that ships with insecure settings, such as a guessable admin
Types of vulnerability assessments:
1. Host assessment – The assessment of critical servers, which may be vulnerable to
attacks if not adequately tested or not generated from a tested machine image.
2. Network and wireless assessment – The assessment of policies and practices to prevent
unauthorized access to private or public networks and network-accessible resources.
3. Database assessment – The assessment of databases or big data systems for
vulnerabilities and misconfigurations, identifying rogue databases or insecure dev/test
environments, and classifying sensitive data across an organization’s infrastructure.
4. Application scans – The identifying of security vulnerabilities in web applications and
their source code by automated scans on the front-end or static/dynamic analysis of
Vulnerability Assessment in 3 - Steps
1. Information Gathering and Discovery
1. Information Gathering and Discovery
The best tool used for gathering information is NMAP.
This phase involves obtaining as much information about the IT environment such as
Networks, IP Address, Operating System Version, and so on. It's applicable to all the
three scopes of testing i.e. Black Box Testing, Grey Box Testing, and White Box Testing
In this phase information is gathered from public sources, such as:
1. Social Sites
3. White papers
4. DNS Zones and registers
5. Directory service
In this phase, information is gathered about the systems before the vulnerability
assessment. Review if the device has open ports, processes and services that shouldn’t
be open. Also, understand the approved drivers and software, that should be installed
on the device as well as the basic configuration of each device. For instance, if the
device is a perimeter device, it shouldn’t have a default administrator username
configured. Try to perform a banner grabbing or learn what kind of “public” information
should be accessible based on the configuration baseline.
Use the right policy on your scanner to accomplish the desired results. Prior to starting
the vulnerability scan, look for any compliance requirements based on the company’s
posture and business, and know the best time and date to perform the scan. It is
important to recognize context of the client industry and determine if the scan can be
performed all at once or if a segmentation is needed. An important step is to re-define
and get the approval of the policy for the vulnerability scan to be performed.
For the best results, use related tools and plug-ins on the vulnerability assessment
platform, such as:
Best scan (i.e., popular ports)
CMS web scan (Joomla, WordPress, Drupal, general CMS, etc.)
Most common ports best scan (i.e., 65,535 ports)
Full scan, exploits and distributed denial-of-service (DDoS) attacks
Open Web Application Security Project (OWASP) Top 10 Scan, OWASP Checks
Payment Card Industry Data Security Standard (PCI DSS) preparation for web
Health Insurance Portability and Accountability Act (HIPAA) policy scan for
In case you need to perform a manual scan for the critical assets to ensure the best
results, be sure to configure the credentials on the scanner configuration to perform a
better and deeper vulnerability assessment.
In this phase the network is tested using vulnerability scanners such as Retina
Retina Network Security Scanner is the most sophisticated vulnerability assessment
solution on the market. It is available as a standalone application or as part of the Retina
CS unified vulnerability management platform. It enables you to efficiently identify IT
exposures and prioritize remediation enterprise-wide.
Discover all network (local and remote), web, database and virtual assets in your
Reveal at-risk personally identifiable information (PII) and other sensitive data
Identify system, application, database, OS and web application vulnerabilities via
agent-based and/or agentless scanning
Assess risk and prioritize remediation based on exploitability (from Core Impact,
Metasploit, Exploit-db), CVSS & other factors
Confirm exploitability through penetration testing, with one click to the
Report progress and results to colleagues in management, compliance, audit,
risk and other roles
Analyze threats and gain security intelligence through the optional Retina CS
vulnerability management console
Share data with popular solutions for SIEM, GRC and other security management
Pay attention to the details and try to add extra value on the recommendations phase. To get
real value from the final report, add recommendations based on the initial assessment goals.
Based on the criticalness of the assets and results, add risk mitigation techniques. Add findings
related to any possible gap between the results and the system baseline definition (deviations
in any misconfiguration and discoveries made), and recommendations to correct the deviations
and mitigate possible vulnerabilities. Findings on the vulnerability assessment are usually very
useful and are ordered in a way to ensure the understanding of the finding.
However, it’s important to keep the following details in mind and realize that high and medium
vulnerabilities should have a detailed report that may include:
The name of vulnerability
The date of discovery
The score, based on Common Vulnerabilities and Exposures (CVE) databases
A detailed description of the vulnerability
Details regarding the affected systems
Details regarding the process to correct the vulnerability
A proof of concept (PoC) of the vulnerability for the system (if possible)
A blank field for the owner of the vulnerability, the time it took to correct, the next
revision and countermeasures between the final solution
With this basic list when performing a vulnerability assessment, the recommendations phase
will reflect a complete understanding of the security system in all the different aspects of the
process. It will also deliver a better outcome for something that, in most cases, is a just a
Risk on an internal VA
Vulnerabilities can arise due to misconfigured hardware, out of date software or even
unpatched systems. Attacks can come from a malicious insider, viruses, malware or even an
unintentional attack such as an accidental deletion of sensitive data.
An Internal Vulnerability Assessment is aimed at safeguarding the network’s assets that could
be exploited to interfere with the confidentiality, availability, and integrity of the network.
Unavailability of the systems and applications
Impact on the network and systems performance
Reaction from the IT staff in the event of a real attack taking place
Vulnerability Assessment Steps with a 3rd Party
While using a 3rd party to access your network, here are a few things to keep in mind:
Establish an Information Security Assessment Policy to be followed
Determine the objectives of each security assessment
The consulting firm should be accountable for any damage caused by errors on during
Sign a formal agreement for the Vulnerability Assessment
Non-disclosure information externally
A step-by-step guide to Vulnerability Assessment – Kenneth Gonzalez
Mitigate Risk with Internal Vulnerability Assessments