Do you have a complete understanding of your IT environment and your security posture? Do you know where your next security dollar should be invested to have the greatest impact and ROI? If your answer was “no” – or even just “maybe” – then a security vulnerability and gap assessment is something you should consider today. These assessments will help validate your current understanding, identify any areas of concern, and help prioritize your next steps for security improvement and maturity.
What are Vulnerability and Gap Assessments?
Vulnerability and gap assessments provide a holistic view of your environment, your digital assets, and current security posture – and pave the way to providing a path toward further improvement. They give you insight into how your security posture measures up to various industry standard baselines; they help identify potential issues such as any rogue or unknown assets (also referred to as shadow IT), lack of security policies, and more. The result of these assessments will be a list of areas needing improvement, and a clear plan to help your organization reach your desired level of security.
Asset Identification
One of the first and most important steps to take to prepare for an assessment is asset identification. After all, you can’t protect it if you don’t know about it! The asset analysis will identify all endpoints and services on your networks, their functions, their criticality, and who is responsible for them. This helps with future prioritization of security improvements (and, as a bonus, will help you document your incident response plan – but that’s a topic for another day). The process also helps identify your “crown jewels”: the most important assets in your organization and the ones that will require the most extensive security defenses.
The results of an asset discovery exercise are typically tracked in a Configuration Management Database (CMDB) for reference and planning going forward. Doing so helps with future vulnerability management efforts. Information that should be tracked includes any applicable licensing information, version levels, operating systems, and details about end-of-support/end-of-life horizons for planning purposes. Depending on your organization’s tools and capabilities, this information can be used to automatically alert key staff to help coordinate budgets, support, and system renewal/refresh.
Vulnerability Assessments
After identifying your organization’s assets, you need to identify any system vulnerabilities and security exposures. This can range from pinpointing unpatched devices to inadequate configurations to overly permissive access rules. It’s essential to spot these issues so you can plan remediation before the bad guys exploit the vulnerabilities.
Part of this process includes determining which vulnerability management scoring system(s) you will use going forward. You may already have experience applying one or more vulnerability management scoring systems within your environment, and you may either elect to continue using them or try something new. Some options include the Common Vulnerability Scoring System (CVSS), the Stakeholder-Specific Vulnerability Categorization (SSVC), and the Exploit Prediction Scoring System (EPSS).
Each of these vulnerability scoring systems will prioritize the same vulnerability slightly differently. For example, for any given vulnerability, the Stakeholder-Specific Vulnerability Categorization scoring system will provide a higher score for assets interacting with sensitive data and/or more publicly exposed than it will for a system with the same vulnerability with less exposure and less access to sensitive data. Alternatively, the Exploit Prediction Scoring System will prioritize vulnerabilities that have active, publicly-seen exploits available across every asset in your environment regardless of its location or access to sensitive information.
Gap Assessments
The next step is a gap assessment. Gap assessments evaluate your current security posture against industry best practices, compliance requirements, or a desired target state. They identify any deficiencies in security controls, policies, processes, and your overall cybersecurity program maturity.
Classification and Prioritization
When the results of the vulnerability and gap assessments are coupled, you will have a comprehensive picture of your environment. Most importantly, you will be armed with the information you need to prioritize remediation and the methods through which you can improve your defenses and security posture.
Different organizations will select different strategies for prioritization: will you be remediating larger, more immediate threats first, such as exposed user data on public-facing assets? Or will you remediate smaller, less critical threats to reduce your overall vulnerability count quickly? Ideally, priority should be given to the most critical threats on the most important assets, followed by smaller, quicker fixes, rather than waiting to remediate these findings. For example, assets like domain controllers (DC) and industrial control systems (ICS) should be prioritized over assets like individual workstations because the associated risks are higher if a domain controller is compromised compared to the risk of an individual workstation. What “crown jewels” need to be defended? There are some consistent themes irrespective of industry/sector, but every organization will have priorities specific to them.
Executing your Plan
Now your efforts really pay off. With a clear and supportable list of priorities, you can develop an action plan to implement any necessary changes and work toward a more secure and compliant environment. You’ll be positioned to set budgets, secure resources, and set realistic timelines and milestones. Be sure to include regular check-ins to track progress, inform your stakeholders, and re-validate your plan and priorities with the business over time.
Conclusion
Keeping up with complex IT systems and pervasive cyber threats is challenging. Whether your goal is compliance, best practices, strategic planning, or simply doing right by your customers, vulnerability and gap assessments can help you understand what to do next. These assessments can be done in-house, but most organizations benefit from getting outside assistance to streamline the process and get a fresh set of eyes on the environment. Contact ISA Cybersecurity today to learn how we can help you achieve your security goals.
