Technology is evolving rapidly. Applications, servers, and databases constitute part of the critical information system of an organization. This emergency of complex computing networks has given rise to maintenance and monitoring aspects because such vast systems are ever a target by hackers. Hackers have evolved and are using complex scanning tools, techniques and mechanisms in order to understand the underlying network in order to compromise it. Viruses and cybercriminals, on the other hand, target these systems, enterprise wireless networks, web applications, and mobile systems. However, there are methods that can be used to ascertain and guarantee that the network remains proof of such attacks. Vulnerability assessment also called vulnerability analysis is such a technique that can be used by system administrators to ensure there are no flaws that an intruder can make use of and penetrate a system unlawfully without login credentials.
Vulnerabilities are opportunities, weaknesses, or gaps in a security program or system which can be exploited by threats in order to access the information system or an asset, while vulnerability assessment is the assessment of security weakness and the opportunities which can adversary be exploited (Vellani, 2007). Vulnerabilities may be procedural, human, or other elements that provide opportunities that attackers can use. The assessment provides information about potential risks to the organizational information system infrastructure. The goal of vulnerability assessment is to understand, identify and block opportunities for threats against assets. Through this, security analysts can easily mitigate threats and reduce the compromise against information systems. Vulnerability assessment helps security analysts to identify entities that need protection against potential threats. It establishes and measures the effectiveness of a security program against some metrics, and provides a recommendation to security analysts.
It assists in deploying additional security devices and system upgrades, policies, and procedures that can effectively mitigate these security risks. Technically, it also involves a security fact-finding process, in order to gather data and information of the existing system infrastructure. It is important that during the vulnerability assessment, the integrity and proper working of the information systems control is considered. Besides that, plans need to be laid down before the actual assessment begins. During planning, essential information that defines the scope and roles are established, while during the actual process of conducting a vulnerability assessment, security analysts need to review access policies and procedures in order to determine the level of adherence to set rules.
This can be done through the use of appropriate tools that scan for system vulnerabilities in applications. This may consist of scanning software that assists in detecting a given flaw that may compromise a system. For instance, a vulnerability scanner can be used to search for malwares and rootkits that could potentially compromise a system by introducing codes that execute beneath without the knowledge of the computer user, with the main aim of stealing information like passwords. This software can also be used to identify rogue softwares that are installed by an attacker.
After performing an assessment, the next phase in the vulnerability assessment process is to identify the exposures, which can compromise the system. It then calls for a way to address these vulnerabilities, by trying to resolve these vulnerability exposures that were identified in the earlier phases. After the exposures have been assessed, an appropriate measure needs to be undertaken to counteract the exposure before a system is compromised.
This could be done by devising new ways in terms of system policies, upgrading the system, or reinforcing the system by using application patches. It is important to perform a vulnerability assessment of a system, to help security analysts in understanding the current state of the system, in order to mitigate against potential security threats and breaches. This will help in determining whether an attacker can bypass the defense parameter or the existing security system can protect intrusion attempts.
Vulnerability assessment remains a crucial element in the management of the security aspect of information systems. It updates system administrators on the current state of the network, making security analysts become proactive in terms of handling and responding to known and identified threats. It also assists one to identify given security exposures that attackers can make use of in order to exploit the network. By identifying the existence of a given threat, an administrator can use an appropriate strategy to address the security concern before it is exploited by an attacker. This helps in safeguarding enterprise-wide information.
On the other hand, vulnerability assessment helps an administrator to understand the network in detail. It helps him to understand the processes that are running, as this helps to identify any change in system performance or any secret inclusion of a device that hackers could use to compromise a network. This will enable him to harden the hardware and software components, while at the same time keeping off any rogue applications from running in the network. In this way, it is possible for an administrator to maintain a benchmark that can be monitored progressively to ascertain whether there are improvements that can prevent attacks. This will mitigate against any effects brought about by existing vulnerabilities and flaws.
Penetration studies are aimed at testing or evaluating the system through conducting an assessment of the strengths of security controls within computing infrastructure. The main purpose of the study is to check any violation of the security policy. It is sometimes referred to as a red team attack, which involves a methodology of testing the system in operation. It examines the procedural, operational, and technological controls within the system usually carried out through a test known as a penetration test.
A pen test involves simulating an attack against a system or organization with the aim of penetrating an organizational system (Tipton & Nozaki, 2010). It involves intentional acts of breaking the rules of the subject in order to determine its weakness. This is carried out through a vulnerability assessment. The vulnerabilities that lie beneath the system can make the penetration test to be successful, or be unsuccessful in a case where a vulnerability assessment is done to identify the vulnerabilities or flaws, hence implementing measures to counteract the flaws within the system. A penetration test is used to classify the effectiveness of certain security implementations and controls, which protect the system from unauthorized intrusion.
Penetration studies are important in vulnerability assessment. This is because tools such as a pen tester can determine the effectiveness of security controls within the system. It assists to carry out the real action in the assessment process since the vulnerable systems will always be easily penetrated with such simulated attacks aimed at the systems.
This will then highlight the security flaws within the system when the penetration test is successful. Due to this, a security analyst can assess the points of entry, which leads to a weakness within the computing system. Vulnerability assessment can also be conducted through
Reconnaissance and scanning. Reconnaissance is the process of attempting to gain unlawful entry to some information within a network. In this scenario, a successful reconnaissance process shows how the system is vulnerable to threats, while in scanning, a vulnerability scanner scans the entire computing system in search of weakness on the application. This can help in vulnerability assessment by gauging the effectiveness of security controls used in the network. In these processes, several tools and commands can be used to gauge how vulnerable a system could be. The penetration studies are aimed at studying the underlying security controls, and potential flaws that may exist within them. In cases where the simulated attacks penetrate the system, the system is classified as vulnerable.
Penetration studies use methods and techniques such as pen tests to check for vulnerability and flaws within a network. The systems that are able to sustain the attacks are known to be secure, in other words, vulnerabilities or flaws do not exist within the system, while on the other hand, systems that can be penetrated by either of the methods, show that they are vulnerable to threats and attacks. Hence the positive and negative results can be used as an assessment criterion to establish whether the system is secure and can withstand unauthorized intrusions. Vulnerability classification
The different classifications of vulnerability include application vulnerability, operating system vulnerability, hardware vulnerability, system administration vulnerabilities, and network vulnerabilities (Rome, 2010). Application vulnerabilities are flaws that occur on the application software’s, operating system vulnerabilities occur on the operating system, hardware vulnerabilities occur on the hardware devices, system administration vulnerability occurs due to mis-
configurations on the software while network vulnerability occurs across the entire network due to misconfigurations on a network supporting device.
These classifications help in ascertaining the level of vulnerabilities within the components of a computer network. These classifications assist a security analyst to understand the different vulnerabilities that occur after an assessment on the computer network is conducted. In an instance where a vulnerability test is conducted, the presence of more than a vulnerability indicates that the system is extremely vulnerable, compromised, and may succumb to any attack or threat. In the case of a specific vulnerability, for instance, software vulnerability, it shows that the software is compromised, and that action is needed to sustain the security of the whole system.
During vulnerability assessment, the existence of either of the vulnerabilities indicates a weak point in relation to the test results. It, therefore, shows that given sections could be the driving force to a compromised system. Hardware vulnerability indicates that the hardware components are vulnerable to attacks, while application vulnerability indicates that the application software are vulnerable and an action is needed to fix the flaw. Hence, the existence of more than one vulnerability, after a vulnerability assessment indicates a higher level of threat to the system. These classifications are beneficial since it helps security analysts to classify the security controls according to given threat levels. This mechanism can help an organization to enforce strict access mechanisms given the classifications.
Assessing vulnerabilities is a priority for organizations due to the nature of emerging threats to security in most information systems. Frameworks provide a systematic approach in
Vulnerability assessment allows most organizations to be compliant with certain computing standards. There are frameworks that are developed to support organizations achieve their goals in identifying vulnerabilities and finding solutions such as laying down contingency plans as a countermeasure to these threats. These frameworks are outlined below and how they help organizations in the process of ensuring that their IT systems are sound.
The OCTAVE (Operationally, Critical Threat, Asset, and Vulnerability Evaluation.)
This framework assists the organization to critically understand, assess and address the information system security risks. It employs a methodology to identify and manage information systems risks through an assessment component. The OCTAVE is a process that helps security analysts to develop an asset-based threat profile, which depicts the level and state of an organization’s vulnerability level towards security threats. This vulnerability assessment assists in developing a threat profile which can be used to determine how threats identified can be handled.
This tool also assists an organization to clearly define an asset, understand the network and technological vulnerabilities within an enterprise-wide network. This tool can help in classifying vulnerabilities according to the area of which the threats have penetrated through. This tool classifies these vulnerabilities as design, configuration and implementation vulnerabilities, which indicate that the various areas in which threats penetrate can be classified as either design or software. These tools helps in the identification of given classes of vulnerabilities, in order for an assessment to become effective and to help develop contingency plans and strategies of how to handle such threats aimed at information systems.
Threat Agent Risk Management
This is an assessment framework that assists organizations to manage risks by identifying the vulnerabilities and threats that are likely to occur as a result of the existence of such vulnerabilities. It works as a predictive framework that prioritizes these vulnerabilities and how to use the tools available in managing such threats. It allows one to identify the threats that pose much risk due to the underlying vulnerability while focusing on how to minimize the effects.
Factor Analysis of Information Risk (FAIR)
This is a framework that is used to understand, analyze and measure information risk (Kouns & Minoli, 2010). It consists of different features that are used to perform an information security risk assessment. These include taxonomy, methods for measurement, computational engine and a simulation model. The taxonomy includes factors that have been assessed and can cause an information risk. The methods for measuring cover the aspects of threat event frequency, loss and vulnerability while the computational engine helps to simulate the relationship between the factors which contribute to given vulnerabilities, and the simulation model builds and analyzes the risk scenarios while building its complexity. This framework uses a mathematical model to estimate the potential losses and probability values for threats and vulnerabilities. Organizations use this framework to help them remain prepared in case of attacks, and other possible security breaches which occur in an enterprise-wide network.
The National Institute of Standards and Technology Risk Management Framework
This framework assesses the security controls using methods and procedures which help to determine the extent in which controls are properly implemented. It helps determine whether
the security controls meet the security requirements and whether the outcomes are desirable in the management of threats. This allows an organization to select the appropriate security controls for an information system, through security categorization in order to implement proper controls on the system (IT assessment frameworks: real-world experience, 2010).
Certification of Information Systems
Certification is the comprehensive analysis of the technical and nontechnical security features and other safeguards of a system to establish the degree to which a particular system meets a set of specified security requirements. It is conducted by third-party laboratories, government agencies to establish and certify that the company is adhering to some regulations. Certification is necessary in that it measures to what extent an organization has complied with given security standards. It enforces industry regulations as a countermeasure to security attacks.
Accreditation of Information Systems
Accreditation is the declaration given by a neutral body that a certification program has been administered in relation to certain standards in the industry and the certifying body.
This helps to provide an integrated cost-effective guidance of an information system security program (Khosrowpour, 2001). It helps offer guidance in accreditation. It consists of some elements such as scope and purpose, with scope providing an overview into concepts of organizational policies towards the management of vulnerability and threats. On the other hand, accreditation helps the industry to adhere to quality demands in information systems, by which information systems undergo scrutiny and appraisal to affirm an organizations systems of adhering to given rules and policies. This enforces compliance with a given standard within the
technology industry, thus creating a uniform platform in which organizations can respond to specific technology threats to the computing systems.
Accreditation and certification of information systems is an important aspect in the management of vulnerabilities. This helps in the overall improvement of an organizations response to given threats and how to mitigate the negative effects. In the processes, it helps in vulnerability remediation and outlines certain recommendations to help an organization mitigate security threats that target the enterprise-wide network.
These facets assist organizations in the management of vulnerabilities. Organizations employ the use of vulnerability management in order to analyze and be able to mitigate against the risks that have been identified as a result of the vulnerabilities. This consists of outlining the plans to countermeasure the threats, controls to mitigate the risks which vulnerabilities create, metrics to provide data in order for an organization to analyze its performance against a measure, and intelligence to help an organization perform threat analysis. It plays an important role in information assurance because measures that are in place protect information systems and the organizational information against threats. This will help an organization to comply with certain rules in the quest of meeting proper usage of systems. Vulnerability assessment is important in ensuring the availability and integrity of an information system. It ensures that systems can mitigate the effects of security breaches. The availability of information in an organization is crucial hence it is necessary to conduct a vulnerability assessment to assess the state of one’s information system in order to operate a non compromised system. It is also important that systems be accredited and certified to ensure compliance in order to remain secure
Information Resources Management Association., & Khosrowpour, M. (2001). Managing information technology in a global environment. Hershey, PA: Idea Group Publishing.
Kouns, J., & Minoli, D. (2010). Information technology risk management in enterprise environments: A review of industry practices and a practical guide to risk management teams. Hoboken, N.J: Wiley.
Rome, E. (2010). Critical Information Infrastructures Security: 4th International Workshop, CRITIS 2009, Bonn, Germany, September 30 – October 2, 2009. Revised Papers. Berlin, Heidelberg: Springer-Verlag Berlin Heidelberg.
Tipton, H. F., & Nozaki, M. K. (2010). Information security management handbook: Vol. 4. Boca Raton: Auerbach Publications.
Vellani, K. H. (2007). Strategic security management: A risk assessment guide for decision makers. Amsterdam: Butterworth-Heinemann.
Violino, B. (2010, May 3). IT risks assessment frameworks: real-world experience. CSO Online. Retrieved April 4, 2014, from http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks–real-world-experience.html