Following with this series of blogs on Security Risk Assessment (SRA), we will describe what a vulnerability is and how to identify one.
A vulnerability is a known or perceived weakness within a network, system, environment or location that, if left untreated, could be exploited by any one of the threat actors mentioned in the previous blog. Essentially, a vulnerability is a chink in the organisation’s armour, which may potentially allow a successful attack to be carried out.
A vulnerability could be exploited in several ways, such as:
Procedural break down – An employee’s account permissions are not disabled when their contract is terminated. This may enable them to have continued access to the organisation’s computer networks, systems, website and account information with the potential to change, use or share sensitive information.
Technical failure – The licencing on the Antivirus expires, without which, systems and networks are vulnerable to exploitation from external threat actors, who often use automated attack programs to gain access and disrupt services or steal information.
To manage the potential consequences of vulnerabilities being exploited we need to identify them and assess them as quickly as possible. This is done by carrying out a Vulnerability Identification assessment.
Vulnerability identification is very subjective, depending on the industry involved and the experience and knowledge of the person or department tasked with managing it. It can seem quite daunting to an organisation, especially when it undertakes its first attempts to understand the vulnerabilities within its core business. The following paragraphs will assist and hopefully, make the process a bit more manageable.
Before starting any form of vulnerability assessment, it is worth taking a bit of time to understand your organisation; that may sound ridiculous as it your ‘bread and butter’, in no way is this an assumption that you are not aware of your business output, but sometimes putting thing in a physical format, like a network diagram or business breakdown can highlight potential vulnerabilities before you even start digging deeper. Once you have a full understanding of what you are dealing with you can move to the next step, vulnerability assessment.
Vulnerability identification assessments are integral to maintaining the security of the business. It aids the assessor to identify weak areas and enables your organisation to implement cost-effective changes where necessary. There is no set process for this each organisation will and does use a different format. Whichever format your organisation chooses to use, it is important that the organisation, ask itself some questions, they should be searching and asked in conjunction with the threat assessment compiled earlier in the SRA. Discipline is key in this, answer the questions thoroughly and honestly, otherwise, the results of the assessment may prove invalid and leave vulnerabilities unmanaged.
Vulnerabilities come in many guises, some will be obvious other will not. The main objective is to identify vulnerabilities and, once identified, manage them. So, what do vulnerabilities look like? Unfortunately, every organisation’s vulnerabilities will differ, although there may be similarities within industries, such as the financial sector, ultimately processes and procedures within different organisations will determine specific vulnerabilities.
Whatever your business, understanding your vulnerabilities is critical for effective risk management. Depriving your business of a true and honest reflection of its vulnerabilities may result in your organisation never truly protecting against, or mitigating the effects of, an attack.
After reading this blog you will hopefully feel emboldened to take on the vulnerability assessment yourself and fully identify your organisations’ vulnerabilities or, you may feel that it is beyond your capability, either way, if you are at this point, you have options.
One such option is to employ the services of a security consultancy. External management of vulnerabilities may the best option in most cases. Security consultancy providers employ and maintain fully trained staff, up to date on current threat assessments and techniques to protect information systems. It may prove prudent and cost-effective in the long run to employ a security consultancy to manage this process on your behalf, especially with the increasing cost of Information Security breaches, in both financial and reputational terms.