Vulnerability assessment: How do you rate?
- By Caroline Mohan
- Aug 08, 2018
What: “Cyber Defender Strategies: What Your Vulnerability Assessment Practices Reveal,” a report by researchers at Tenable Network Security
Why: As cyber threats evolve, so to must the tools to guard against them. Companies and government agencies must maintain frequent, use-specific scanning and intensive authentication processes, or their systems will continue to present an unnecessarily wide attack surface.
Findings: After analyzing vulnerability assessment telemetry data from more than 2,100 customers and 300,000 scans o from March to May 2018, Tenable found that organizations fall into four VA maturity categories -- diligent, investigative, surveying and minimalist. Only 5 percent of enterprises are categorized as diligent and showing a high level of maturity because they conduct frequent, targeted and comprehensive assessments. Just over 50 percent of federal agencies' VA practices display a medium to low maturity, which "is not sufficient to mitigate the types of threats that typically target government organizations,” Tenable Chief Product Officer Dave Cole said.
The report shows organizations how they can rate their VA maturity based on five key performance indicators: scan frequency, scan intensity, authentication coverage, asset coverage and vulnerability coverage. It also offers a handful of recommendations to help organizations achieve greater vulnerability visibility:
Scan frequently. Ideally, organizations should scan for vulnerabilities at least every three days to minimize the time a critical vulnerability resides undetected in their network. They should also be sure they are getting up-to-date benchmarking and risk scoring intelligence.
Customize scan templates. Differentiated and customized scan templates can help organizations assess vulnerabilities for different asset groups, technology families or use cases.
Authenticate scans. It is important to authenticate assessments of select assets, technology and credentials because unauthenticated assessments can only provide a limited view of an environment and can yield more false negatives.
Cover assets. Prioritize exposed and critical assets, maximize the scan surface and use distributed scanning to gain a broader understanding of an asset’s vulnerabilities.
Think outside the traditional VA box. Approach assessments from innovative angles by incorporating non-traditional technology – such as such as web, cloud, virtual and mobile assets -- into vulnerability management programs.
“Good security is rarely the result of just one silver bullet technology or activity. Instead, solid cyber hygiene is the foundation that all else builds on,” Cole said.
Read the full report here.