
In today's 'everything online' world, vulnerability assessments have become an indispensible aspect of Information Security and crucial to what is referred to as the "AIC Triad"–the availability, integrity and confidentiality of data. Vulnerability assessments involve taking a non-intrusive, surface-level view of an organization's internetworked environment, usually with the help of scanning tools such as nmap, Nessus, Foundtsone and others depending on the type of environment. This view is not only taken from an external perspective, as you'd expect, but also from an internal perspective because an organization's own users can just as easily be the source of a threat. In addition, any outside hacker worth their stripes will likely be able to break into the firm's LAN and thus have access to behind-the-firewall infrastructure from inside. While vulnerability assessments are useful for identifying vulnerabilities that may exist, they don't necessarily prove that any of these vulnerabilities are actually being exploited. They fall somewhat short in this respect because they are merely a point-in-time snapshot–valid only for that moment–and thus don't provide a 'moving' picture of how today's more dynamic threats might be emerging or where an exploit might be headed. The response to this from the industry has been to implement ongoing host and network event monitoring to sniff out and report malicious activity. The two types of services–point-in-time assessment and points-over-time monitoring–are usually conducted separately, with point-in-time assessments most often performed by third-party security consultants and points-over-time monitoring provided as an ongoing service, either by internal IT or by a third-party managed infrastructure services provider engaged to keep infrastructure up and running smoothly. Based on our security industry experience, we strongly contend that both services need to be performed at the same time and the results combined to create a complete and verified profile of an organization's threat risk and to enable analysis that can lead to mitigation. For example, ongoing monitoring may indicate that a high-risk vulnerability is not actually being exploited, thus not currently a major problem, while a low-risk vulnerability, on the other hand, might be showing very high levels of activity and thus require attention. It's the combination of point-in-time and points-over-time services that allows an organization to fully qualify a vulnerability and conduct a business impact assessment of whether they can accept the risk and how best to deal with it. To share your thoughts on vulnerability assessments, or to find out how Compugen's Security Consulting Services can help you identify and mitigate the risk of cyber security threats impacting your organization, feel free to e-mail me or call 1-800-387-5045. This story previously appeared in Compugen's Tuesday Technology Report. It was written by TTR staff with information provided by Compugen's security team.