How to conduct a vulnerability assessment

Posted:
12/20/2022
| By: Jason McNew

Conducting a vulnerability assessment is an essential part of the cybersecurity process. MSPs and other IT professionals use this test as a barometer to measure a client’s current level of cybersecurity protection. Without it, deciding where to start or what cybersecurity tools to implement to reduce your client’s risk would be difficult.

When done properly, a vulnerability assessment will determine your current and future vulnerabilities to cybersecurity threats. MSPs should conduct these regularly for their clients. Failure to do so could cause the loss of mission-critical data and files.

As a technician conducts the vulnerability assessment, each detected weakness is assigned a security level. Next, the cybersecurity team analyzes the list of vulnerabilities and prioritizes them. Some may require immediate remediation, while others can be addressed later without causing significant damage.

Fortunately, MSPs can rely on a library of vulnerability assessment tools to ensure that the testing and reporting are done right. The dynamic application security testing (DAST) tool is a popular tool for this process.

DAST tools scan your software applications for vulnerabilities while they’re running. The benefits of this are twofold:

  • Running the assessment won’t cost your client any additional downtime.
  • Assessing applications while they’re running allows MSPs to uncover threats more like what they might see in the real world.

DAST tools are often coupled with static application security testing (SAST) tools to cover all bases. SAST tools provide the same function, but these assessments run while applications are shut down.

Vulnerability assessments vs. penetration testing

IT experts often mention penetration testing in the same breath as vulnerability assessments. While both processes go hand-in-hand to foster network protection, they’re not the same.

A vulnerability assessment will identify and repair any network vulnerability a hacker might exploit. This process needs to cover a vast number of unpatched vulnerabilities throughout the entire network. As a result, it’s usually an automated process.

Conversely, penetration testing is a choreographed attack run by ethical hackers. There are specific cybersecurity goals in mind when running such a test, and its structure is such that the assessment mimics a real-world cybersecurity attack. 

Penetration testing can also test an organization’s cybersecurity at a more granular level. Where a vulnerability assessment does a great job of detecting and alleviating larger-scale network vulnerabilities, penetration testing can help fill in the gaps.

Issues like inferior security settings and lack of password encryption are exactly what a penetration test is designed to flag. These tests work in conjunction with broader vulnerability assessments and, like all vulnerability assessments, should be run regularly to provide clients with the utmost safety and protection.

Why do you need vulnerability assessments as an MSP?

MSPs do their best work when they’re preventing problems before they start, and that’s exactly what a network vulnerability assessment is designed to do. By running these tests regularly, you’ll be able to detect issues early for your clients and stop them before they become significant cybersecurity risks.

Vulnerability assessments will also give you and your client an in-depth view of their current system. You’ll be able to identify areas of weakness, as well as strength, and come up with a data-driven plan to protect their most critical digital assets.

To learn more about the importance of vulnerability assessments, check out our webinar, “Who Really Needs A Vulnerability Program Anyway?” in the ConnectWise resource library. 

Vulnerability assessment types

Vulnerability assessments are an essential litmus test for all components of an organization’s network. There are a variety of specific security vulnerability assessments you should be running for your clients as MSPs. They are as follows:

  • Web application assessment – scans web application source code to check for any loopholes or vulnerabilities. This scan can be done manually, or it can be automated.
  • Network-based assessment – a more general scan to help identify loopholes in an organization’s networks, both hard-wired and wireless.
  • Wireless network assessment – examines an organization’s wireless network configuration to protect against unauthorized users' access.
  • Host-based assessment – network ports, services, servers, and other network hosting components are rigorously scanned to root out any weaknesses in the overall hosting environment.
  • Database assessment – looks to identify weaknesses in database security. These scans protect against popular hacker TTPs like DDoS attacks, brute force attacks, SQL injections, and more.

For more information about some of the common digital threat actor attack methods, check out the ConnectWise cybersecurity center

How to perform an effective vulnerability assessment

Cybersecurity experts agree that there is a standard strategy MSPs and other IT technicians should follow when conducting a vulnerability assessment. The process can be broken down into 5 steps.

1. Laying out your testing scope

MSPs and their clients must work together to take a good, hard look at the current system infrastructure. Consider your client’s entire IT estate and leave no stone unturned.

Ask yourself and your client where the most critical data is stored. Be sure to dig deep and uncover any hidden sources of company data. Ultimately, you’ll use this step to map out your client’s entire digital presence and set yourself up to streamline the vulnerability assessment process. 

2. Preparing system baselines

To make any improvement to a client’s cybersecurity, you have to know where you’re starting. This step of the vulnerability assessment prompts you to look at your client’s current system configuration.

Analyze all systems and hardware and check them for the following:

  • The proper software and drivers for each asset
  • The correct access permission configurations
  • Any network ports that shouldn’t be open
  • The information the system should transmit and what peripherals the network “talks to” under its current setup. 

3. Perform the vulnerability scan

Now it’s time to run your scan. Your client’s industry may require you to adhere to compliance requirements. Carefully examine this aspect of your scan and ensure you comply, as you don’t want to cost your client any fines or lead to any legal action.

You’ll also want to consider the scan schedule at this stage. Certain industries may prevent you from running your scan all at once and necessitate you breaking it down into smaller segments. An example would be any industries that fall under PCI compliance.

The vulnerability assessment platform you use will have plug-in tools available to help give you the best results. Some of these tools are:

  • A content management system (CMS) web scan (for CMS platforms like WordPress, Joomla, Drupal, etc.)
  • Quick scan
  • Best scan
  • Most common ports best scan
  • Stealth scan
  • Firewall scan
  • Aggressive scan
  • Open web application security project (OWASP)
  • Payment card industry data security standard (PCI DSS) scan for web apps
  • Health insurance portability and accountability act (HIPAA) compliance scan
  • Full scan, checks against DDoS attacks 

Occasionally, you may need to manually scan your client’s most vital assets. These scans are done manually to ensure the best results and that nothing is missed by an automated scanner. 

4. Building out your vulnerability assessment report

Building your report is a crucial part of the vulnerability assessment process because it synthesizes your findings. By aggregating all of your client’s cybersecurity data in one place, you’ll be able to take actionable steps toward improving their security level and minimizing their risk.

Your report should highlight any critical details the assessment uncovers. Note if there is a significant difference between the report’s findings and the system’s baseline. Recommendations to remediate these insufficiencies or loopholes should follow shortly after.

MSPs should organize their reports in a way that’s easy to decipher and act on. If you’re not sure where to start, here is a brief rundown of information your report should contain:

  • The name of the vulnerability
  • Date and time of discovery
  • The vulnerability’s common vulnerabilities and exposures (CVE) score
  • A description of the vulnerability
  • Information regarding affected systems
  • An outline of the process necessary to correct the vulnerability
  • Blank space to record who is going to address the vulnerability, how long it took to mitigate, a scheduled date for the next revision, and any defense measures taken in between

These parameters are a good start, but when it comes to reporting, the more information the better. Consult with your clients and your team to see if you should add any additional data points.

5. Deciding how to act on your report’s findings

Once you complete the scan and analyze the report data, it’s time to develop an action plan. To make this plan as effective as possible, you’ll need to revisit your prioritization of assets from earlier in the vulnerability assessment.

Your report’s findings should categorize each vulnerability by severity. When designing your mitigation plan, you should first focus on tackling the highest-severity vulnerabilities. Also, prioritize any vulnerabilities affecting mission-critical software applications or equipment.

While prioritization is important, MSPs can’t ignore vulnerabilities that are further down the list. Occasionally, hackers will use a chain of seemingly mild vulnerabilities to gain access to a target system – knowing that addressing them will typically be put off until a later date.

Other areas of interest include employee laptops, internet-facing systems, software vulnerabilities, and systems containing sensitive data that could potentially hurt your business if compromised.

Stopping vulnerabilities is a continuous cycle

While running an efficient vulnerability assessment is a crucial step of the cybersecurity process, it’s only the beginning. The assessment and the corresponding report only give you system feedback for that timeframe. New software installations and updates, new configurations to system settings, and the discovery of new vulnerabilities may ultimately change your client’s system. 

This ever-changing nature of network infrastructure and cybersecurity makes the assessment process a continuous cycle. MSPs must perform these scans and tests regularly to ensure the best cybersecurity services for their clients.

Fortunately, ConnectWise offers a suite of cybersecurity tools to help organize, automate, and streamline your threat and vulnerability assessment process. Contact us today to learn more about how our MSP software applications can help you improve and scale your growing business.

FAQs

A vulnerability assessment is a test to identify and remediate any system vulnerabilities within an organization’s network. Automated software tools can usually conduct these scans on a cybersecurity professional’s behalf. Penetration testing uses some tools but also includes a manual component done by ethical hackers. They mimic real-world cyber threat scenarios and attempt to infiltrate a network to expose its weaknesses.

There are 5 steps to conducting an effective vulnerability assessment:

  1. Laying out your testing scope
  2. Preparing system baselines
  3. Perform the vulnerability scan
  4. Building out your vulnerability assessment report
  5. Deciding how to act on your report's findings.

Vulnerability assessments allow MSPs and IT techs to stay ahead of client issues. By continuously running these scans, system admins can be sure their cybersecurity efforts are adapting along with their client’s infrastructure as it grows. Assessment report findings also present the opportunity to create data-driven solutions to the vulnerabilities that matter most – resulting in meaningful improvement in an organization’s overall cybersecurity.

Recommended