How to Perform a Vulnerability Assessment
Table of Contents
In 2017, a massive ransomware campaign began. The ransomware, known as WannaCry, affected over 200,000 systems worldwide. The attackers exploited a known vulnerability in the Microsoft Windows Server Message Block (SMB) protocol. Vulnerable systems are a gift for hackers. Vulnerabilities are common, with 76% of applications having at least one vulnerability.
A vulnerability assessment provides a way to mitigate these exploits and help reduce security risk.
What are Vulnerabilities?
In the context of computing, vulnerabilities are flaws in software applications, systems, devices, or processes that can be exploited. Attackers commonly use vulnerabilities as part of an attack chain that ends in some form of security breach, including data exfiltration, ransomware, and account takeovers. Vulnerabilities take many forms, broadly covered by misconfigured web servers and databases, insecure APIs, unauthorized access, network vulnerabilities, human vulnerabilities, unpatched software, and zero-days (not yet recognized by a vendor, so no patch is available). Critical vulnerabilities, which, if exploited, cause a significant impact on the company, have increased by 83%.
Vulnerabilities are closely monitored by industry vendors and analysts, such as CVE Details, OWASP, and HackerOne. These organizations create watchlists and databases that gather and make available information on vulnerabilities, helping organizations with their cybersecurity operations.
HackerOne compiles a top ten list of vulnerable areas, which covers types of vulnerability in more detail. Top vulnerabilities include improper access controls and misconfiguration.
Common Vulnerabilities and Exposures (CVEs) is a reference method for publicly known information security vulnerabilities and exposures. CVE databases are maintained by several organizations, including the CVE List, which is sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
CVE Details, run by Security Scorecard, is another organization that maintains a database of vulnerabilities. CVE details offer insights into vulnerabilities. The research shows a general upward trend in the number of vulnerabilities.
Vulnerabilities by Type & Year
Source: CVE Details
Understanding your security risk is an essential part of creating a robust security environment for your company. A vulnerability assessment identifies areas within your organization that are vulnerable.
What is a Vulnerability Assessment?
A vulnerability assessment provides a comprehensive and systematic view of potential security flaws and weaknesses in an information system. The intelligence gathered from the vulnerability assessment is used to classify vulnerabilities. In turn, this intelligence provides a basis for mitigative strategies and offers guidance on remediation of weaknesses.
There are several types of vulnerability assessment depending on what system is under examination:
Host-Based
This deep-dive vulnerability assessment focuses on servers, workstations, and other endpoints. It checks areas such as configurations, software, and operating system insecurities.
Network and Wireless Assessment
Network infrastructure, including connected devices such as routers and printers, is under scrutiny during a network vulnerability assessment. Insecure protocols, poorly implemented encryption, and open ports are typical elements that a network assessment helps identify. Wi-Fi and wireless connection vulnerabilities are often included in network assessments. Weaknesses that could allow unauthorized access and data exfiltration attacks are part of this type of assessment.
Database
Database exploits lead to major data breaches. A database vulnerability assessment identifies any insecure configurations, inappropriate user privileges, poorly implemented access controls, and patch status.
Application Assessment
Application vulnerability assessments focus on the security of software applications, including those that are cloud-based. Applications are vulnerable to a broad range of abuses, including poorly implemented registration and identity verification processes, inadequate access control and authentication, poor coding practices, insecure API connectivity, and SQL injection attacks.
API Vulnerabilities
Many modern systems utilize APIs to add capability and connect to other systems and services. As such, APIs have become a popular target. An API vulnerability assessment examines weaknesses in API endpoints, identifying security issues resulting from misconfigurations, inadequate access control, SQL injection attacks, and insecure data flows.
SCADA and ICS
SCADA (supervisory control and data acquisition) and ICS (industrial control systems) are used in manufacturing. However, this sector faces numerous unique security challenges, primarily due to legacy applications and protocols. Downtime is a significant issue in the manufacturing industry. Vulnerability assessments within manufacturing must focus on these unique challenges without disrupting the smooth operation of an organization.
Why Perform a Vulnerability Assessment?
A vulnerability assessment provides an organization with security intelligence that can be used to address security risks. In an era where cybersecurity threats are continually evolving with volumes of malicious attacks increasing, knowing where security gaps exist is essential to developing a robust security strategy. Some examples of vulnerability-based attacks show how cybercriminals exploit flaws:
Play Ransomware
Cybercriminals exploited a Windows zero-day vulnerability (CVE-2025-29824) before Microsoft had a chance to release a patch. The flaw allowed an attacker to exploit the Common Log File System to gain access privileges. Once an attacker had elevated access privileges, they were able to install Play ransomware. The vulnerability resulted in over 900 companies being infected with the ransomware.
Equifax Breach
A massive data breach at Equifax resulted in the firm paying $1.4 billion in cleanup costs. The breach was attributed to an Apache Struts vulnerability (CVE-2023-50164), which hackers used to exploit the organization's dispute resolution portal. Patches were available many months before the attack, but Equifax's poor patch management meant they were not protected from the threat. The data breach affected 143 million people.
T-Mobile API Vulnerability
A data breach at T-Mobile affected 37 million customers. Attackers gained unauthorized access to customers' personal data through an API vulnerability. This flaw was likely an OWASP-recognized top API vulnerability known as "improper inventory management". The attackers took advantage of a lack of patching and poor API security.
How is a Vulnerability Assessment Performed?
A vulnerability assessment is not just about scanning a system or applications. Instead, the assessment should be thought of as a process that includes the following steps:
- Scope out your vulnerability assessment: This is the discovery and planning stage. Determine what should be included in the vulnerability assessment and what type of evaluation should be conducted. The scope of the assessment should consist of baselines for configurations, user permissions, human vulnerabilities, and BYOD settings. The scope will create an action plan that includes the type of tools used to scan for vulnerabilities, such as automated and manual exercises.
- Run a vulnerability scan: Once your plan is ready, you can carry out the vulnerability assessment. This part of the process uses existing vulnerability databases, new threat announcements, and other threat intelligence feeds to help identify system weaknesses.
- Vulnerability Analysis: Once the scan is complete, the output can be analyzed. The aim is to identify flaws and find their root cause to inform mitigation and remediation actions. For example, the scan may have identified a default password on a router, which can then be remediated by using a robust password and MFA if available.
- Create the vulnerability report: A report is created using the output of the scan and the analysis of this output. This report will determine the priority status of each vulnerability by setting severity levels for each.
- Remediation: The report outlines the necessary measures to address the identified security gaps, categorized by severity level. Remediation of vulnerabilities involves multiple parties in an organization, including the security team, any external managed service providers, and others, to ensure that the security measures are appropriate.
- Repeat: The cyber threat landscape is continually changing; new threats, such as AI-assisted cyberattacks, create new exploits for vulnerable systems and services. Organizations should expect to conduct regular vulnerability assessments as new threats emerge. Additionally, as new technologies, systems, and processes are introduced by an organization, a vulnerability assessment should be conducted to identify potential security gaps.
Vulnerability Scanning Tools
There are lots of security scanning tools available to speed up your vulnerability assessment. Some examples include the following:
- CVE Scanner: Specific to website vulnerabilities.
- OpenVas: An open-source vulnerability scanner.
- InsightVM from Rapid7: Fully-fledged commercial vulnerability scanner.
- A comprehensive list of vulnerability scanners is available from OWASP.
Vulnerability assessment tools can also be supplied via a specialist managed service provider. Smaller organizations often use this option as it can be cost-effective and does not require skilled in-house staff.
Vulnerability Assessments: How Long and How Much
The length of time to complete and the cost of a vulnerability assessment depend on the scope of the assessment. However, a ballpark figure for a single vulnerability scan on a simple network is around $ 1,000 to $10,000. Larger enterprises are likely to incur significantly higher costs. Other costs, such as the time required to develop the process, engaging external teams, and the cost of remediation, must also be included. If external vulnerability management services are added, this will bump costs. The time to complete the process is also highly dependent on the scope of the exercise, the size of the organization, and the measures required to remediate found vulnerabilities. Any organization using a vulnerability assessment should budget for regular assessments.
Further reading: best practice guidelines
An organization can use guidelines and frameworks designed to assist in effective vulnerability assessments. The following are suggested readings before embarking on a vulnerability assessment:
- NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)
- OSSTMM (Open Source Security Testing Methodology Manual)
- OWASP Vulnerability Management Guide
FAQs
Does a vulnerability assessment help meet regulatory compliance?
Yes. A vulnerability assessment provides evidence that your organization has identified potential weaknesses and made efforts to remediate these security gaps. Many data protection regulations mandate the use of regular risk assessments, which include the location of security and privacy vulnerabilities.
Is penetration testing the same as a vulnerability assessment?
Simply put, a Penetration test attempts to exploit vulnerabilities, whereas a vulnerability assessment identifies and classifies vulnerabilities across a system. A Pen test is usually performed by skilled people acting as ethical hackers, whereas a vulnerability assessment typically relies on automation to carry out a systematic review of vulnerabilities. Vulnerability assessments are much broader in scope than penetration tests.
Is a security audit the same as a vulnerability assessment?
A security audit is the next step after a vulnerability assessment. It tests the measures put in place to control the security weaknesses identified in an assessment report. A security audit may be required as part of industry standards. The audit will test the system against best practice security requirements and regulations, such as HIPAA.
Can I perform a vulnerability assessment using automated scanning tools only?
You can carry out a vulnerability assessment using automated scanning, but this is not recommended. Automated vulnerability scanning is a component of a broader process designed to identify and address security weaknesses within a system. The scan's result must be analysed, vulnerabilities classified, and appropriate measures determined and implemented.