Vulnerability Assessment Vendors: How to Find the Right One

Vulnerability Assessment Vendors: How to Find the Right One

Learn about the key factors to pay attention to when selecting a provider of network vulnerability assessment services.

  • Mar 25, 2019

Regular vulnerability assessment contributes positively to the improvement of the security state of your company’s network. In this article, we’ll show you how to find a professional provider with the competence necessary to perform network vulnerability assessment properly.

Where vulnerability assessment can fall flat

When selecting an appropriate information security services provider, it’s essential to know the key factors to pay attention to. Before choosing the company to conduct vulnerability assessment of your network, it’s important to get the full picture of your potential vendor’s capabilities and competencies. Sometimes, due to the lack of experience, qualification, etc., vendors may fail to provide their customers with high-quality services. We mention below the most common mistakes vendors make and describe what to expect from a good vendor.

  1. Vendors miss the initial stage of clarifying significant details. Vulnerability assessment service providers who are not experienced enough may fail to ask the right questions to get the information on the specifics of your network configurations, for example, where the sensitive data is stored, how your network is protected, what rights the users need to access the servers, etc. The primary task of a qualified vendor is to help you take the right decision regarding how exactly you want your network be assessed (for example, do you want the security engineers to perform scanning from the ‘inside’ of a network or the ‘outside’?). Experienced vendors can provide you with a security assessment questionnaire at the stage of negotiations. Such questionnaires simplify estimating the scope of work for a vendor, as well as clarify whether the customer needs to be compliant with any security standards and regulations (PCI DSS, HIPAA, etc.), what security measures are already in place (firewall protection, IPS/IDS), etc. 
  2. Vendors fail to provide a comprehensive description of the whole network vulnerability assessment process. They must be ready to explain their choice of the approach for performing vulnerability assessment. The explanation doesn’t imply simply giving the list of the scanning tools being used – such information will not be valuable for you as a customer since it doesn’t give you any idea about what exactly will be assessed with those tools. A prospective vendor should be able to clearly describe the steps they are going to execute, and deliverables you get at the end of the process. 
  3. Vendors may try to cut down their costs by attracting entry-level security testing team. Such security specialists can set up a scanning tool but do not have the necessary qualification to draw up a report containing reliable information. Therefore, when assessing a prospective vendor, do not take only their portfolio (the publicly available information on the completed projects) into consideration. What you should pay attention to is the experience of the vendor’s security engineers. Focus on their certifications, published scientific papers, participation in awards programs, etc. Assess the professionals, not the company’s brand. 
  4. Vendors fail to provide their customers with recommendations aimed to remediate the revealed security weaknesses. In spite of the fact that network vulnerability assessment implies only “opening the door” to see the security weaknesses hidden behind it, the ability to point out the network’s flaws is not enough. To assess the vendor’s competence in this matter, you should have a look at the template of the final report they provide at the end of network vulnerability assessment. A well-structured report consists of two main elements: an executive summary (a brief and clear evaluation of the overall security level of your network) and a technical report (a thorough description of the activities performed by security engineers and their findings).

What types of vulnerabilities a vendor may find or miss

In the process of vulnerability assessment, two main types of vulnerabilities can be found: logical and technical. Technical vulnerabilities can be easily detected with automated scanning tools, so even the vendors with not a very high skill level can find them just by setting up a scanning tool correctly. However, only security testing professionals can detect logical vulnerabilities manually as they understand the logic according to which the customer’s network works.

Among the most well-known technical vulnerabilities are:

  • Susceptibility to SQL injection. This vulnerability means a possibility to place malicious code in SQL statements (through a web page input). A successful SQL injection exploit can provide attackers with an opportunity to access and modify, or even destroy the sensitive data in your databases. 
  • Susceptibility to cross site scripting (XSS) attacks. It’s a type of security attack when a hacker inserts, for example, a malicious script into content from other websites that your network trusts. This vulnerability may allow attackers to spread malware, phish for credentials, etc. 
  • Susceptibility to cross-site request forgery (CSRF). This vulnerability allows making a user’s web browser execute an unwanted action in the web application to which this user is logged in. Successfully performed CSRF attacks can result in unauthorized fund transfers and data leakage (stolen passwords or users’ sessions).

The most common logical vulnerability is broken access control, which is supposed to prevent unauthorized users to get to the content and functions of web apps in the network. The existence of this vulnerability may lead even to the takeover of your network by an attacker.

What a good network vulnerability assessment report should contain

The executive summary of a vulnerability assessment report should give clear information about the overall security state of your network and the detected weaknesses. This information should be easy to read and understand for managers or business stakeholders who have limited knowledge in the information security area. The technical part should contain the detailed information on the whole process and the activities performed by the security testing team, the number and types of vulnerabilities found, the list of corrective measures to remediate the revealed issues and the list of the scanning tools used. 

The way the findings are arranged plays an important role. Good vendors should not provide you with “draft” automated scanning tool findings. When scanning is over, the vendor should validate the scanning results before including the details on the revealed security weaknesses in the report. Otherwise, you may get the information on the vulnerabilities that do not actually exist and waste your time and financial resources trying to reproduce these vulnerabilities.

It can happen in the course of network vulnerability assessment that security engineers find the vulnerabilities that may be difficult to reproduce for your IT team but can be discovered and exploited by experienced hackers. In such a case, it will be convenient for you to get a step-by-step guide or a video recorded by a vendor that shows how to reproduce the vulnerability. The availability of such an option shows the vendor as competent in their field and concerned about the comfort of their customers.

How often to conduct vulnerability assessment

There are three main factors to take into account when selecting an appropriate frequency of network vulnerability assessment.

  • The frequency of audits. For example, if you need to be compliant to PCI DSS (the information security standard for companies that handle cardholders’ information), the frequency of carrying out vulnerability assessment depends directly on the frequency of audit checks your company has to go through. As a rule, an audit check is conducted quarterly. Thus, it makes sense to have network vulnerability assessment carried out each quarter prior to every audit. 
  • The frequency of major updates. Generally, the network infrastructure gets major updates several times a year. So, it’s a good practice to have vulnerability assessment performed after every such update, since the changes made to the network may lead to the appearance of new vulnerabilities.
  • Financial risks. They include financial losses in the result of business disruption, loss of privacy, sensitive data leakage, reputational damage, etc. Vulnerability assessment should be conducted at least twice a year if the company wants to prevent such events from occurring.

In summary

Choosing an appropriate vendor of vulnerability assessment services is not something that can be done in the blink of an eye. A good vendor must be able to give a thorough explanation of how they carry out network vulnerability assessment, be ready to help you decide how exactly you would like your network to be assessed, as well as have a highly skilled and qualified security testing team. Moreover, a professional vendor must be experienced enough to provide you with a comprehensive report containing not only the detailed information on the revealed technical and logical security vulnerabilities but also valuable recommendations to improve your network security state.

Taking into consideration these and other factors mentioned in the article, you will be able to find a vendor with the necessary expertise and get vulnerability assessment services that fully meet your requirements.

Featured

  • It Always Rains in Florida

    Over the years, and many trips to various cities, I have experienced some of the craziest memorable things. One thing I always count on when going to Orlando is a massive rainstorm after the tradeshow has concluded the first day. Count on it, it is going to rain Monday evening. Expect that it will be a gully washer. Read Now

    • Industry Events

  • Live from GSX 2024 Preview

    It’s hard to believe, but GSX 2024 is almost here. This year’s show runs from Monday, September 23 to Wednesday, September 25 at the Orange County Convention Center in Orlando, Fla. The Campus Security Today and Security Today staff will be on hand to provide live updates about the security industry’s latest innovations, trends, and products. Whether you’re attending the show or keeping tabs on it from afar, we’ve got you covered. Make sure to follow the Live from GSX page for photos, videos, interviews, product demonstrations, announcements, commentary, and more from the heart of the show floor! Read Now

    • Industry Events

  • Elevate Your Business

    In today’s dynamic business environment, companies specializing in physical security are constantly evolving to remain competitive. One strategic shift these businesses can make to give them the advantage is a full or partial transition to a recurring revenue model, popularly called a subscription service. This approach will bring numerous benefits that not only enhance business stability but also improve customer relationships and drive innovation. Recurring monthly revenue (RMR) or recurring annual revenue (RAR) are two recurring cadence choices that work simply and effectively. Read Now

  • Playing a Crucial Role

    Physical security technology plays a crucial role in detecting and preventing insider cybersecurity threats. While it might seem like a stretch to connect physical security with cyber threats, the two are closely intertwined. Here’s how physical security technology can be leveraged to address both external and internal threats. Read Now

Most   Popular

Featured Cybersecurity

Webinars

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3