What is a Vulnerability Assessment?
In this article I will discuss what a vulnerability assessment is and why you need it for your business. If your company has a website, a vulnerability assessment can help stop hackers from attacking your site. If your company has a network, a vulnerability assessment can determine if your network is secure or not.
Most hackers target the “low hanging fruit” or targets that are very insecure. The harder your systems are to attack the less attackers you have to deal with. Some of the most popular vulnerability assessment tools will be discussed below, along with why you need a vulnerability assessment.
Why do I need a Vulnerability Assessment?
In this article I will discuss what a vulnerability assessment is and why you need it for your business. If your company has a website, a vulnerability assessment can help keep hackers away from your site. If your company has a network, a vulnerability assessment can determine if your network is secure or not.
Most hackers target the “low hanging fruit” or in other words, targets that are very insecure. The harder your systems are to penetrate, the less attackers you have to deal with. Some of the most popular vulnerability assessment tools will be discussed below, along with why you need a vulnerability assessment.
With the rapid advancement of Internet of Things and the workforce’s increasing use of computers and computing technologies, vulnerability assessments are becoming more important. The more complex systems are, the greater the chance of vulnerabilities.
A hacker only needs to discover one vulnerability to compromise a system. It is better to be secure and never experience an attack, then to have to pick up the pieces after an attack destroys your reputation. If you can determine your vulnerabilities before the attacker does, you have a chance to fix the vulnerability.
A vulnerability is a weakness in the organization’s armor that can lead to a compromise of the system. Anyone with a website can benefit from a vulnerability assessment. Vulnerability assessments can be performed by anyone with the correct tools.
There are plenty of commercial and open source vulnerability scanners on the market today. Below, I will discuss some of these tools, the cost of the tools, and the overall user experiences.
Vulnerability Assessment Tools
The first vulnerability assessment tool I will discuss is Nessus. Nessus was developed by Tenable Security and is one of the most widely used vulnerability scanners. It is a commercial vulnerability assessment tool that costs $2,190 per year. Even though the price seems a little expensive it is on the lower end of the price spectrum.
Nessus can scan a range of IP addresses and detect the operating systems running. It finds known vulnerabilities that may be on the machine and lists the vulnerabilities with the most critical vulnerabilities at the top of the list (Example shown below). It can also discover any misconfigurations on the system that leads to a security vulnerability. Nessus used to be an open source software; however, the source was closed in 2005.
OpenVAS was created from the last open source version of Nessus. OpenVAS is similar to Nessus; however, it is 100 percent free! In my opinion the OpenVAS user interface is less user friendly than the Nessus user interface. However, they both attain the same goal: to find security holes in a computer system. Since Nessus is a proprietary solution, it comes with more advanced features. After reading reviews and comparisons on the Internet, most people recommend Nessus if the organization can afford it.
OpenVAS and Nessus normally have similar scan results. OpenVAS may be a little hard to understand, however. Nessus ranks the discovered vulnerabilities as critical, high, medium, low, and info. OpenVAS ranks discovered vulnerabilities as high, medium, low, log, and N/A. So when comparing the two, a critical vulnerability in Nessus may be considered a high vulnerability in OpenVAS. These are two of the tools that Cydrogen uses to make sure our clients’ systems are vulnerability free.
Nmap is a port scanning tool that can also discover vulnerabilities on the network. Nmap is famous for detecting open ports and services, operating systems, and vulnerabilities. Therefore, if an out of date version of an operating system is running, Nmap will discover it. Nmap is integrated into nearly all cyber security scanning tools. Also, it is 100 percent free and open source. I believe that vulnerability assessments when paired with patches and bug fixes can result in a more secure system. This is why it is important to use a defense in depth security model. Defense in depth means that we use a number of cyber security techniques to secure our systems.
Vulnerability Assessment vs. Penetration Test
So what is the difference between a vulnerability assessment and a penetration test? A vulnerability assessment only discovers the vulnerabilities on a system. A penetration test attempts to simulate an attack and actually exploits the vulnerabilities. This would show the system owner what an attacker could do with the vulnerabilities discovered. When conducting a penetration test, certain safeguards must be put in place to maintain the integrity and safety of the system. The purpose of a penetration test is to see what an attack could potentially hold. It should not harm the production system in any way. This is why, often times, the penetration test is conducted on a cloned system.
At Cydrogen, we provide vulnerability assessments to our Cydrogen Protection Team clients. If you have a website or you want to secure your network, let us help you secure it! We have the experience to help you bolster your cyber security defenses today! Protect yourself from the growing number of attacks being launched against small businesses.