What are vulnerability assessments?

Vulnerability assessment is the ongoing, regular process of defining, identifying, classifying and reporting cyber vulnerabilities across endpoints, workloads, and systems.

Most often, vulnerability assessments are automated using a security tool provided by a third-party security vendor. The purpose of this tool is to help the organization understand what vulnerabilities exist within their environment and determine the priorities for remediation and patching.

Importance of vulnerability assessments

A vulnerability is any weakness within the IT environment that can be exploited by a threat actor during a cyber attack, allowing them access to systems, applications, data and other assets. As such, it is crucial for organizations to identify these weak spots before cybercriminals discover them and utilize them as part of an attack.

As the threat landscape becomes broader and more complex, it is not uncommon for organizations to discover hundreds, if not thousands, of vulnerabilities within their environment every year – any one of which can be a gateway to a breach or attack. The reality is these scans, if done manually, would be incredibly time consuming, so much so that it would be nearly impossible for teams to identify and patch all vulnerabilities as they are introduced.

Learn More

Read our post to learn about the most common vulnerabilities and exposures affecting businesses and how to best protect from them. 

Common Vulnerabilities & Exposures

Vulnerability assessment tools and solutions automate this work, allowing IT teams to optimize resources and focus on higher value tasks, such as remediation. These assessments also provide IT teams with important context on the vulnerabilities discovered during sweeps and scans. This enables the team to effectively prioritize and act on those vulnerabilities that pose the most significant threats to the business.

Vulnerability assessments protect the business against data breaches and other cyberattacks, and also help ensure compliance with relevant regulations, such as the General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS).

Types of vulnerability assessments

A comprehensive vulnerability assessment process leverages several automated tools to perform a variety of scans across the entire IT environment. This enables the organization to identify vulnerabilities present across applications, endpoints, workloads, databases, and systems.

The four main scans conducted as part of the vulnerability assessment process are:

 Network-based scan

  • Identifies vulnerabilities that can be exploited in network security attacks.
  • Includes assessments of traditional networks as well as wireless networks.
  • Enforces existing network security controls and policies.

 Host-based scan

  • Identifies vulnerabilities in systems, servers, containers, workstations, workloads, or other network hosts.
  • Is typically deployed as an agent that can scan monitored devices and other hosts to identify unauthorized activity, changes, or other system issues.
  • Offers enhanced visibility into system configuration and patch history.

 Application scan

  • Identifies vulnerabilities related to software applications, including the application architecture, source code, and database.
  • Identifies misconfigurations and other security weaknesses in web and network applications.

 Database scan

  • Identifies vulnerabilities within the database systems or servers.
  • Helps prevent database-specific attacks, such as SQL injections, and identify other vulnerabilities, such as escalated privileges and misconfigurations.

Vulnerability assessment vs vulnerability management

Vulnerability assessment and vulnerability management are two separate – but related – security measures.

Vulnerability management is the ongoing, regular process of identifying, assessing, reporting on, managing and remediating cyber vulnerabilities across endpoints, workloads, and systems. A vulnerability assessment refers only to the initial scan of the network, application, host, database, or other asset. In other words, a vulnerability assessment is the first part of the larger vulnerability management process.

These two activities, when taken together, can help organizations identify and address weaknesses within the IT environment, thus helping the organization harden the attack surface and protect the business from threats and risks.

Learn More

Read this post to learn more in-depth about the vulnerability management process and how to look for tools that can help you manage these vulnerabilities.:

Vulnerability Management

How to perform a vulnerability assessment

Vulnerability assessments are most commonly performed by automated tools or software. These solutions typically scan the IT environment, searching for the signatures of known vulnerabilities that must then be remediated either by another automated tool or the IT team.

For maximum security protection, once the program scope and processes are defined, these scans should be conducted continuously to proactively identify weaknesses in a rapidly changing landscape.

5 steps within the vulnerability assessment

Most organizations follow these five basic steps when preparing for and conducting a vulnerability assessment:

1. Program scoping and preparation

During this phase, the IT team defines the scope and goals of the program. The main objective of this exercise is to accurately scope the attack surface and understand where the most significant threats exist. Core activity includes:

  • Identifying all assets, equipment, and endpoints to be included in the scan, as well as the software, operating systems, and other applications deployed on the assets.
  • Outlining the corresponding security controls and policies associated with each asset.
  • Determining the impact of each asset in the event of a breach (e.g. does the asset contain or process sensitive data?
2. Vulnerability testing

In this step, organizations conduct an automated scan of the designated assets to identify potential vulnerabilities within the environment defined in step one. This phase almost always involves the use of a third-party tool or support from a cybersecurity services provider. This tool or vendor relies on existing vulnerability databases or threat intelligence feeds to detect and classify vulnerabilities.

3. Prioritization

In this stage, organizations review all vulnerabilities surfaced during the assessment and determine which pose the greatest risk to the business. Those that will have a significant impact on the organization should be prioritized for remediation.

Prioritization is based on several factors including:

  • Scoring of the vulnerability as determined by the vulnerability database or threat intelligence tool
  • Impact to the business if the weakness is exploited (i.e., is sensitive data at risk as a result of this vulnerability?)
  • Known availability of the weakness (i.e., how likely is it that cybercriminals know about this weakness or has it been exploited it in the past?)
  • Ease of exploitation
  • Availability of a patch and/or effort required to neutralize the vulnerability

 4.Reporting

In this phase, the tool produces a comprehensive report that provides the security team with a snapshot of all vulnerabilities within the environment. The report will also prioritize these vulnerabilities and provide some guidance on how to remediate them.

Information contained within the report includes details about the vulnerability, such as:

  • When and where the vulnerability was discovered
  • What systems or assets it affects
  • Likelihood of exploitation
  • Potential damage to the business if exploited
  • Availability of a patch and effort required to deploy it

5. Continuous improvement

Because the vulnerability landscape changes day-to-day (if not minute-by-minute), vulnerability assessments should be conducted regularly and frequently. This will not only help organizations ensure that they effectively resolved vulnerabilities identified in past scans, but also help them detect new ones as they arise.

In addition to assessing existing assets (such as networks, databases, hosts and applications), organizations should also consider incorporating a vulnerability assessment within the continuous integration / continuous delivery (CI/CD) process. This will help ensure that vulnerabilities are addressed early within the development lifecycle, thus patching and protecting these potential exploits before they go live.

Learn More

Read our post to learn about the benefits of a CI/CD pipeline and the best tools to help you continuously integrate, deliver, and deploy code.

Continuous Integration / Continuous Delivery (CI/CD)

Enabling continuous vulnerability assessments with CrowdStrike

Real-time, comprehensive visibility across the IT environment is critical to every organization’s cyber security. Organizations that continuously scan the environment for vulnerabilities are in a better position to defend their business against threats and risks.

However not all vulnerability assessment tools are created equal. When selecting a solution it is important to choose a tool that provides timely identification or threats without bloating or slowing down endpoint or system performance.

For this reason, organizations should consider a scan-less solution – which is to say, one that is always running, constantly looking for weaknesses and identifying vulnerabilities – delivered through a lightweight agent.

Falcon Spotlight is a scan-less solution from CrowdStrike that provides organizations with unified vulnerability management on one platform, delivered from a single agent. The solution includes an interactive dashboard equipped with search and filter features, which allow IT teams to see and interact with data in real time, giving them the ability to act immediately to close potentially dangerous gaps in the organization’s security.

Bei Wang is a Senior Product Marketing Manager at CrowdStrike focusing on Vulnerability and Exposure Management. Bei has extensive experience in cybersecurity and Enterprise IT, having held product marketing positions at technology startups as well as large tech vendors including Rapid7, Akamai, and Red Hat. She's passionate about a holistic approach to cybersecurity and demystifying vulnerability management. Bei holds an MBA and an MS in Electrical Engineering from MIT.