It often starts with a simple question: “Are we secure? Do we have software vulnerabilities on our network?“. If security must be a global process, running up-to-date pieces of software is a very first step to avoid being compromized. But, with the growing number of devices inter-connected today, it became unmanagable to perform this task manually. Also, new vulnerabilities are discovered daily and regular checks must be performed to detect them.
The process of “vulnerability assessment” helps to identify, quantify and priorotize vulnerabilties in a system or network. This tasks can be automated using specific tools called vulnerability scanner but it is first of all a process. Running a scanner once a month without reviewing the results and take corrective actions is useless.
This process is based on the following steps:
- Cataloging assets and capabilities (resources) in a system or a network.
- Assigning a value (or at least rank order) and importance to those resources (categorization)
- Identifying the vulnerabilities or potential threats to each resource
- Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
This is a recurrent process and every new asset must be added in the loop.