Vulnerability assessment best practices for enterprises

Measure Twice, Cut Once

False Positives

A false positive is an alert for a problem that does not actually exist. Handling false positives is yet another important step in a VA. No VA software or scanner can completely eliminate false positives, and your team should be prepared to deal with these events when they are identified.

Vulnerability scanners will use several methods to determine whether a system is susceptible to a known weakness. The assessment team at times during the VA will have to do on-the-ground detective work to determine whether the found vulnerability is real or a false positive. The improper diagnosis of a false positive could skew your report results and degrade your credibility with the organization that entrusted you to conduct the VA.

Reporting the Results

Generating reports against your collected assessment data is critical to the VA program. Providing the right data to the right people is the key to a successful effort.

Some of the important details that should be contained within the assessment reports you generate include:

  • Definition of VA and the goals for utilizing the applied technology.
  • The specified time frame of the VA.
  • The top 10 vulnerabilities found during the VA and an explanation of the found vulnerabilities.
  • Categorization of the data in the report (i.e., host, vulnerability, OS, asset, service, network mapping, port able to be accessed).
  • Detailed information pertaining to the identified vulnerabilities. (This will help the team that will be responsible for patching the system.)
  • Report displayed by severity (each system affected by the vulnerability).
  • Report displayed by system (each vulnerability on the device listed).
  • Areas of the infrastructure that were part of the assessment (scope) and what was left out.
  • An explanation of how the VA scanning appliances operated.
  • An explanation of how the generated reports can be used to show details about the vulnerabilities and where the patches can be found.

Handling Scan Results

Leaks of the scanning results, which contain system vulnerability information, could facilitate attackers in exploiting the loopholes identified. Therefore, it is important to safeguard this information by keeping it in a safe place or keeping it encrypted to prevent unauthorized access. If an external party is employed for the assessment process, the organization should ensure that any party involved is trustworthy and that both findings and proprietary information will be kept secure.

Irrelevant data, giant reports, and reports filled with false positives are the easiest ways to get people to take your vulnerability reporting less seriously and can jeopardize the credibility of your VA. The goal is to create high-quality, relevant, and filtered reports for the teams that will be conducting the remediation. Your VA will give the remediation team a path forward.

After a VA, the assessed organization should institute (if not already in place) an organization-wide Cyber Security Awareness Training Program. The awareness training should include details about the completed VA. The level of detail provided during training regarding the completed VA might have to be scaled according to the audience. The possibility of an insider threat could reduce the amount of detail the senior management in the organization may be willing to provide.

The awareness training should include, but is not limited to, depending on the scope of the VA and the requested support after a VA has taken place, several of the list items that appear under the "Reporting the Results" section, plus a couple of other items:

  • A definition of VA and the goals for the technology used.
  • An explanation of how the VA scanning appliances operated.
  • The areas of infrastructure that were part of the assessment (scope) and that were left out.
  • How the generated reports can be used to show details about the vulnerabilities and where the patches can be found.
  • How the additional technology used during assessment can be used to benefit the various departments in the future.
  • Details about the severity levels of a threat to an organization and at what level the organization deems something mission critical.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tested – Tenable Nessus v6
    To ensure your servers and workstations are well protected against attacks on your network, you need a professional security scanner. In version 6, Tenable has substantially expanded its Nessus vulnerability scanner. We pointed the software at a number of test computers.
  • Open Source Security Information and Event Management system
    Systems, network, and security professionals face a big problem managing disparate security data from a variety of sources. OSSIM gives IT security professionals the capacity to cut through the noise and gain wisdom and foresight in defending and managing their networks.
  • Security issues when dealing with Docker images
    Although developers appreciate Docker's ease of use and flexibility, many admins are worried about vulnerabilities. We look at various approaches to securing container images and the price to be paid.
  • BackTrack Linux: The Ultimate Hacker's Arsenal

    Penetration Testing and security auditing are now part of every system administrator's "other duties as assigned." BackTrack Linux is a custom distribution designed for security testing for all skill levels from novice to expert.

  • Managing Port Scan Results with Dr. Portscan

    Regularly scanning the ports on your own network prevents intruders from sneaking in, but if you have dozens or hundreds of servers, you’ll need professional help: Dr. Portscan to the rescue.

comments powered by Disqus