Vulnerability Assessment – Know Your Weaknesses

Relax, we’ll not be talking about personal and psychological vulnerabilities here. Instead, let’s talk about IT, its inherent vulnerabilities and their assessment.

IT Vulnerability assessment, also known as vulnerability analysis, is a conscious action aiming to define, identify, and classify the security vulnerabilities in a computer, network, or an entire communications infrastructure. Furthermore, the vulnerability assessment can be used to forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.


Vulnerability assessment is usually the first step taken in the direction of strengthening an organization’s Information Security. Inasmuch, as it provides a picture of open doors or holes in the security landscape, the vulnerability assessment can be a starting point in rationalizing one’s security strategy, policies, etc. Ultimately, data collected and rationalized fuels the entire Risk Management process.


Regardless of the methodology, scope, and timing that can differ, Vulnerability Assessment has to follow certain steps:

  • Determine the scope of assessment;
  • Scan entire network with all devices;
  • Identify and confirm found vulnerabilities;
  • Classify and determine vulnerability levels;
  • Prepare vulnerability report.


An important part or extension (depending on the underlying philosophy) to vulnerability assessment –Penetration Testing – is usually performed by a white hat using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. This process can provide guidelines for the development of countermeasures to prevent a genuine attack.

Imagine you’re in a room with many doors and you want to know which ones of all these are locked and which not. Vulnerability Assessment does just that – it provides a “list” of unlocked doors. These doors could be used to break into an organization’s communication system, inflicting damage and disrupting operations.

The scope of Vulnerability Assessment is usually all-encompassing, spreading over an entire organization or, at least over an entire critical system the organization uses.

Penetration Testing, on the other hand, may follow a narrower scope. Instead of just listing doors, it goes through each unlocked door to see how far can one reach into the system.

Also, what impact such entry can have, thus exposing possible vulnerabilities that were not seen in the Vulnerability Assessment of the first “batch” of doors.


Lack of Vision: Creating a plan for vulnerability assessment is not an easy task. As such, you need to look it over from as many sides as possible and explore every aspect of vulnerabilities found. Being narrow-minded when talking about such an assessment, is one of the biggest mistakes you can make. To adequately examine weaknesses in your infrastructure, you need to put yourself in the shoes of the attacker. What better way to do that, than to try even the most outrageous ideas for testing and to simulate even the rarest situations. Don’t exclude any idea before seriously considering it. You should also have in mind that having a member of the senior management in the room, while thinking of ways to assess vulnerabilities, is a bad idea because suddenly ideas stop flowing and people become afraid to explore different possibilities.

Inadequate Compliance: Complying with laws and regulations is not always enough to secure the information infrastructure of your business. Furthermore, in every country, there are examples of government legislation, enforced to increase business security that can, sometimes, interfere with the business environment in an incomplete fashion. The wise and legal thing to do is to address inadequacies with additional measures in order to enhance productive legislation requirements with legally permitted actions.

Bad Reporting: A problem that is often encountered is lacking a technique of reporting. It is nothing new, for an external consulting company, just to drop off a report full of vulnerabilities and problems, leaving the rest to the client. On other occasions, people focus too much on the problem itself, without providing any answers for the weak points in the infrastructure. Another example of bad reporting is concentrating only on categorizing and enumerating the problems found, again with no perspective of finding a solution. Creating a report with the detailed categorization of all problems is vital, but is only half of the work. The other half involves a detailed analysis of the report and the effort to solve problems found in it.

Knowledge Gained Does Not Enter Corporate Culture: Although there is security-sensitive information in a vulnerability assessment report, that cannot be shared lightly with employees, this is no reason to keep staff members in the dark. Security is part of the corporate culture and as such must be embraced by everyone in the company, not as a mandatory requirement, but as something they are involved in. Security staff meetings and debating of security incidents, both in the company and in other companies, will greatly affect the understanding of security as a group effort.


Determining the Information Security risks in a company is a complex and involving task. In a dynamic and integrated environment, locating and assessing threats and vulnerabilities is simply not enough. Therefore, what you need is not only a simple vulnerability assessment but an integrated process of vulnerability management.

What is vulnerability management and how is it different from vulnerability assessment?

Vulnerability assessment will tell you where and what the vulnerabilities are, while vulnerability management will make sure these vulnerabilities are addressed by actionable measures, such as but not limited to the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), educating users about social engineering, etc.


Vulnerability management is the ongoing, cyclical practice to identify, classify, remedy, and mitigate vulnerabilities. The process is especially important when treating issues related to software and firmware. Vulnerability management is integral to computer security and network security and is accompanied by vulnerability assessment, which provides the initial “food for thought”.

Although vulnerabilities are classified by their severity, they are not directly translated to risks in an organization. A high severity vulnerability may or may not be regarded as a critical risk. The risk definitions are handled in the risk assessment process, part of Risk Management activities.