What Is A Vulnerability Assessment?
You can’t protect what you don’t know. Here’s how to gain full visibility and safeguard your business.
Consider a vulnerability assessment your blueprint for building cyber resilience in an increasingly volatile threat landscape. Designed to identify the gaps that open up organizations — including managed service providers (MSPs) and their small to medium-sized business clients (SMBs) — to exploitation by cybercriminals, it’s an essential component of effective vulnerability management.
The best assessments achieve full visibility. This means they identify and continuously scan all assets in your environment, eliminating any risk of blind spots and allowing you to address any vulnerabilities before they become breaches.
It’s the foundation of protection
In that sense, the vulnerability assessment lays the foundation for your future success in protecting your IT environment. It belongs in the “Identify” stage of the NIST Cybersecurity Framework, the gold-standard for creating an effective cybersecurity program (To learn more, read this post: Understanding the big picture of cybersecurity starts with NIST).
When you run an assessment that scans your own and your customers’ IT infrastructure for this common compliance standard, you take a crucial step on your cybersecurity journey. With all vulnerabilities uncovered, you can take action to protect your environment and shrink your attack surface. That way, you reduce the risk of having to activate the next three steps of the framework — Detect, Respond, and Recover.
The assessment can also support other standards, depending on which industries your clients are in. For instance, an assessment can reveal whether they comply with standards like PCI DSS, HIPAA, GDPR IV, NIST 800-53, NIST 800-171, CIS, CIS 8.0, ISO 27002, Cyber Essentials and Essential Eight.
It provides complete visibility
Two features tend to stand out about vulnerability assessments:
At the core of the vulnerability assessment is the scan, which should have the capability to discover systems running on your network or that connect via remote access solutions, including laptops and desktops, virtual and physical servers, databases, firewalls, printers, routers, access points, switches, IoT devices, etc.
Once the scan is completed, you should get a report that outlines the vulnerabilities that were identified and provides recommendations for how to fix or mitigate them. The most insightful assessments offer a range of reports, covering assets, vulnerabilities, compliance, remediation, security posture, active directories (identifying misconfigurations, weak policies, and privilege user access), and the opportunity to build your own.
It’s an MSP business generator
A growing number of MSPs are leveraging vulnerability assessments to win business. In our whitepaper on this very topic, Karl Bickmore, CEO of Snap Tech IT, says, “We're winning a lot of deals. And our differentiator typically is that our assessment shows where the security needs are."
He continues, “It's really up to our needs. I can get out there and just run an ad-hoc scan, and there's no additional licensing to happen. It provides us an easy way to have confidence that our tools are working, that we're catching everything in the network and that we're seeing devices and their vulnerabilities — not just computers and servers — but the switches, the infrastructure items…”
Dennis Houseknecht, CTO Waterloo Security (WatSec), a cyber risk management firm, echoes Bickmore’s take: “It enables us to provide information to our co-managed IT teams that they either don’t have or would have to spend a lot of time and effort to get — and we’re basically serving it to them.
“A lot of our clients really like the fact we have a third-party set of eyes that can come in and validate what the MSPs are doing. We provide what we like to call it oversight. We're also able to give MSPs an independent set of data, so they're not grading their own homework.”
It builds cyber resilience
Effective vulnerability assessment requires a combination of automated tools and manual testing and inspection to ensure that all potential vulnerabilities are identified. It is an ongoing process that should be regularly repeated to ensure that systems and networks are secure. For complete coverage, Gartner recommends that organizations combine active scanning, agents, and passive monitoring. This applies to enterprises as well as MSPs and their SMB clients.
In short, by gaining visibility into all assets, you simultaneously gain invaluable knowledge. As the unofficial first law of cybersecurity says, “You can’t protect what you don’t know.” Vulnerability assessments help you get past the danger of not knowing at a time when the stakes keep being raised. Environments now encompass not only networks and private hosted applications but everything from IoT to cloud applications to digital supply chains, and more. Discovering where your organization is at risk of exploitation is the most crucial step to building cyber resilience.