System scan (Robert Lucian Crusitu/


Vulnerability assessment: How do you rate?

What: “Cyber Defender Strategies: What Your Vulnerability Assessment Practices Reveal,” a report by researchers at Tenable Network Security

Why: As cyber threats evolve, so to must the tools to guard against them. Companies and government agencies must maintain frequent, use-specific scanning and intensive authentication processes, or their systems will continue to present an unnecessarily wide attack surface.

Findings:  After analyzing vulnerability assessment telemetry data from more than 2,100 customers and 300,000 scans o from March to May 2018, Tenable found that organizations fall into four VA  maturity categories -- diligent, investigative, surveying and minimalist. Only 5 percent of enterprises are categorized as diligent and showing a high level of maturity because they conduct frequent, targeted and comprehensive assessments. Just over 50 percent of federal agencies' VA practices display a medium to low maturity, which  "is not sufficient to mitigate the types of threats that typically target government organizations,” Tenable Chief Product Officer Dave Cole said.

The report shows organizations how they can rate their VA maturity based on five key performance indicators: scan frequency, scan intensity, authentication coverage, asset coverage and vulnerability coverage. It also offers a handful of recommendations to help organizations achieve greater vulnerability visibility:

Scan frequently. Ideally, organizations should scan for vulnerabilities at least every three days to minimize the time  a critical vulnerability resides  undetected in their network. They should also be sure they are getting up-to-date benchmarking and risk scoring intelligence.

Customize scan templates. Differentiated and customized scan templates can help organizations assess vulnerabilities for different asset groups, technology families or use cases.

Authenticate scans. It is important to authenticate assessments of select assets, technology and credentials because unauthenticated assessments can only provide a limited view of an environment and can yield more false negatives.

Cover assets. Prioritize exposed and critical assets, maximize the scan surface and use distributed scanning to gain a broader understanding of an asset’s vulnerabilities.

Think outside the traditional VA box. Approach assessments from innovative angles by incorporating non-traditional technology – such as such as web, cloud, virtual and mobile assets -- into vulnerability management programs.

“Good security is rarely the result of just one silver bullet technology or activity. Instead, solid cyber hygiene is the foundation that all else builds on,” Cole said.

Read the full report here.

About the Author

Caroline Mohan is an editorial intern for FCW and GCN. She can be reached at [email protected].


  • senior center (vuqarali/

    Bmore Responsive: Home-grown emergency response coordination

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected