What is the point of Vulnerability Assessments?

Vulnerability Assessments have many uses - and not just limited to finding vulnerabilities

JW B0448

Vulnerability assessment (VA) is a control that most organisations implement and is a requirement for many security schemes such as PCI DSS. However, many organisations focus on the vulnerabilities themselves, which can mean they're missing out on some of the possible security benefits.

VA is a highly automated process that finds so called "low hanging fruit". It predominantly finds simple issues such as:

  • Default Passwords not changed
  • Patches not applied
  • Insecure versions of protocols not disabled
  • Common misconfigurations

Many organisations find VA to be a highly cost effective measure. As it can be largely automated, VA can be much cheaper than many other security activities and yet provide value such as detecting exploitable issues that lower skilled attackers may target. VA can also provide benefits such as identifying hosts on a network that may otherwise not be known about, so called shadow-IT.

However, all mature organisations have controls and policies that should prevent these issues. All organisations have a requirement to change defaults passwords, to patch, to configure securely. The real value in VA is therefore not in finding vulnerabilities but in validating where controls are not being applied.

Focussing on the detected issues and simply fixing them provides only a limited benefit, that an attacker cannot trivially find and exploit those issues. To get the most value from VA, organisations should take the issues and identify the control that failed, and crucially, understand why the control failed. In MWR's experience, such root cause analysis can often reveal issues that for whatever reason were not detected by the VA scan and are equally dangerous.

Furthermore, by identifying why the control failed, future failures might be prevented. Common causes MWR see include third party service contracts not mandating patching, confusion between OS and application teams as to who is responsible for securing particular stacks, and outdated build standards that have not aged out insecure protocols.

VA is a crucial activity and all organisations should be doing it. However, if VA is just seen as a chance to close some easy vulnerabilities, organisations are missing out on a much deeper benefit.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.