Network Vulnerability Assessment and Management

Talk to key employees across different teams for a comprehensive understanding of all your business processes. Focus should be on critical areas of compliance and asset security. To be successful, ensure collaboration between your IT team and key representatives of all relevant business units and departments. Involve employees with extensive domain knowledge wherever possible. Take the time to analyze business processes in each department from a security standpoint. Make sure to document how things are run and understand the true processes. It may take several weeks, depending on the size of your organization, but due diligence in this discovery phase will set you up for more accurate findings.

After the business processes have been looked into, rank them in terms of priority. Then, identify the applications and data that underlie those critical business processes. This stage should still entail collaboration between your IT team and other department representatives.

When considering data sources, make sure to look beneath the surface. Common hidden sources include your ecosystem of devices and information pathways. Make sure to look into all mobile devices as they may contain recent sensitive data.

Another source that should also be paid attention to relates to your external footprint. Determine if employees are sending critical business information over unsecured public channels such as Gmail or other email providers.

Finally, another hidden source that should be considered is your software development environment. Investigate if your developers are using critical data to test new applications.

Identify both virtual and physical servers that your critical applications and data are reliant on. Your web-based applications may run on three or more sets of servers. In terms of data, determine the data storage devices that house critical data used by those applications.

Look into what keeps your applications and hardware performing optimally. Identify the areas of your network infrastructure that are critical to keeping them running. Make sure to know where each particular type of data exists within your network. On top of that, develop an understanding of how data travels within your network and beyond.  You should also determine if there are specific subnets specifically designed to house critical assets or particular business units.

This step is essentially conducting a network vulnerability systems audit. Identify your pre-existing network defense systems. This includes firewalls, encryption, data loss prevention, security policies etc. Document and understand the functions – and limitations – of each of these security measures. As usual, pay special attention to measures dedicated to critical applications and data.

After gaining an understanding of critical business processes and mapping out how your network infrastructure supports them, you’re ready to run your network vulnerability assessment. If you don’t have the capacity to perform this in-house, look to outsource this function.

Your assessment is likely to yield a long list of vulnerabilities across your organization. However, those results are meaningless without context. To truly deem your network vulnerability assessment a success, you must be able to derive meaningful and actionable results. The findings from the planning stage act as the lens that you should be looking at the results through and are key to tying the results to your business structure.

It’s essential to get the most out of your assessment’s data. Full infrastructure visibility will help with the planning of upgrades and future assessments. The information gathered can also be used to organize a distribution list of future exposures that may affect critical systems.

While performing a vulnerability scan is a great start, the true value in this process lies in being able to implement a strategy or process in addressing the exposures identified. Before proceeding to address them, verify all vulnerabilities discovered – identify false positives so you’re not wasting time fixing problems that don’t exist in the first place. Understand that not every threat should be given equal attention.

It is also important to recognize that some of the vulnerabilities discovered may actually need to be present for present systems to run as expected. Those exposures should be documented accordingly in order for them to prevent the same red flags from being raised in the next assessment.

After verification, work on prioritizing which vulnerabilities need to be addressed first. Here are some factors to consider:

• The potential impact of the vulnerability
• The importance of the asset being affected
• The ability of current existing security controls to neutralize the threat
• The location of the threat