Vulnerability Assessment Vendors: How to Find the Right One

Vulnerability Assessment Vendors: How to Find the Right One

Learn about the key factors to pay attention to when selecting a provider of network vulnerability assessment services.

Regular vulnerability assessment contributes positively to the improvement of the security state of your company’s network. In this article, we’ll show you how to find a professional provider with the competence necessary to perform network vulnerability assessment properly.

Where vulnerability assessment can fall flat

When selecting an appropriate information security services provider, it’s essential to know the key factors to pay attention to. Before choosing the company to conduct vulnerability assessment of your network, it’s important to get the full picture of your potential vendor’s capabilities and competencies. Sometimes, due to the lack of experience, qualification, etc., vendors may fail to provide their customers with high-quality services. We mention below the most common mistakes vendors make and describe what to expect from a good vendor.

  1. Vendors miss the initial stage of clarifying significant details. Vulnerability assessment service providers who are not experienced enough may fail to ask the right questions to get the information on the specifics of your network configurations, for example, where the sensitive data is stored, how your network is protected, what rights the users need to access the servers, etc. The primary task of a qualified vendor is to help you take the right decision regarding how exactly you want your network be assessed (for example, do you want the security engineers to perform scanning from the ‘inside’ of a network or the ‘outside’?). Experienced vendors can provide you with a security assessment questionnaire at the stage of negotiations. Such questionnaires simplify estimating the scope of work for a vendor, as well as clarify whether the customer needs to be compliant with any security standards and regulations (PCI DSS, HIPAA, etc.), what security measures are already in place (firewall protection, IPS/IDS), etc. 
  2. Vendors fail to provide a comprehensive description of the whole network vulnerability assessment process. They must be ready to explain their choice of the approach for performing vulnerability assessment. The explanation doesn’t imply simply giving the list of the scanning tools being used – such information will not be valuable for you as a customer since it doesn’t give you any idea about what exactly will be assessed with those tools. A prospective vendor should be able to clearly describe the steps they are going to execute, and deliverables you get at the end of the process. 
  3. Vendors may try to cut down their costs by attracting entry-level security testing team. Such security specialists can set up a scanning tool but do not have the necessary qualification to draw up a report containing reliable information. Therefore, when assessing a prospective vendor, do not take only their portfolio (the publicly available information on the completed projects) into consideration. What you should pay attention to is the experience of the vendor’s security engineers. Focus on their certifications, published scientific papers, participation in awards programs, etc. Assess the professionals, not the company’s brand. 
  4. Vendors fail to provide their customers with recommendations aimed to remediate the revealed security weaknesses. In spite of the fact that network vulnerability assessment implies only “opening the door” to see the security weaknesses hidden behind it, the ability to point out the network’s flaws is not enough. To assess the vendor’s competence in this matter, you should have a look at the template of the final report they provide at the end of network vulnerability assessment. A well-structured report consists of two main elements: an executive summary (a brief and clear evaluation of the overall security level of your network) and a technical report (a thorough description of the activities performed by security engineers and their findings).

What types of vulnerabilities a vendor may find or miss

In the process of vulnerability assessment, two main types of vulnerabilities can be found: logical and technical. Technical vulnerabilities can be easily detected with automated scanning tools, so even the vendors with not a very high skill level can find them just by setting up a scanning tool correctly. However, only security testing professionals can detect logical vulnerabilities manually as they understand the logic according to which the customer’s network works.

Among the most well-known technical vulnerabilities are:

  • Susceptibility to SQL injection. This vulnerability means a possibility to place malicious code in SQL statements (through a web page input). A successful SQL injection exploit can provide attackers with an opportunity to access and modify, or even destroy the sensitive data in your databases. 
  • Susceptibility to cross site scripting (XSS) attacks. It’s a type of security attack when a hacker inserts, for example, a malicious script into content from other websites that your network trusts. This vulnerability may allow attackers to spread malware, phish for credentials, etc. 
  • Susceptibility to cross-site request forgery (CSRF). This vulnerability allows making a user’s web browser execute an unwanted action in the web application to which this user is logged in. Successfully performed CSRF attacks can result in unauthorized fund transfers and data leakage (stolen passwords or users’ sessions).

The most common logical vulnerability is broken access control, which is supposed to prevent unauthorized users to get to the content and functions of web apps in the network. The existence of this vulnerability may lead even to the takeover of your network by an attacker.

What a good network vulnerability assessment report should contain

The executive summary of a vulnerability assessment report should give clear information about the overall security state of your network and the detected weaknesses. This information should be easy to read and understand for managers or business stakeholders who have limited knowledge in the information security area. The technical part should contain the detailed information on the whole process and the activities performed by the security testing team, the number and types of vulnerabilities found, the list of corrective measures to remediate the revealed issues and the list of the scanning tools used. 

The way the findings are arranged plays an important role. Good vendors should not provide you with “draft” automated scanning tool findings. When scanning is over, the vendor should validate the scanning results before including the details on the revealed security weaknesses in the report. Otherwise, you may get the information on the vulnerabilities that do not actually exist and waste your time and financial resources trying to reproduce these vulnerabilities.

It can happen in the course of network vulnerability assessment that security engineers find the vulnerabilities that may be difficult to reproduce for your IT team but can be discovered and exploited by experienced hackers. In such a case, it will be convenient for you to get a step-by-step guide or a video recorded by a vendor that shows how to reproduce the vulnerability. The availability of such an option shows the vendor as competent in their field and concerned about the comfort of their customers.

How often to conduct vulnerability assessment

There are three main factors to take into account when selecting an appropriate frequency of network vulnerability assessment.

  • The frequency of audits. For example, if you need to be compliant to PCI DSS (the information security standard for companies that handle cardholders’ information), the frequency of carrying out vulnerability assessment depends directly on the frequency of audit checks your company has to go through. As a rule, an audit check is conducted quarterly. Thus, it makes sense to have network vulnerability assessment carried out each quarter prior to every audit. 
  • The frequency of major updates. Generally, the network infrastructure gets major updates several times a year. So, it’s a good practice to have vulnerability assessment performed after every such update, since the changes made to the network may lead to the appearance of new vulnerabilities.
  • Financial risks. They include financial losses in the result of business disruption, loss of privacy, sensitive data leakage, reputational damage, etc. Vulnerability assessment should be conducted at least twice a year if the company wants to prevent such events from occurring.

In summary

Choosing an appropriate vendor of vulnerability assessment services is not something that can be done in the blink of an eye. A good vendor must be able to give a thorough explanation of how they carry out network vulnerability assessment, be ready to help you decide how exactly you would like your network to be assessed, as well as have a highly skilled and qualified security testing team. Moreover, a professional vendor must be experienced enough to provide you with a comprehensive report containing not only the detailed information on the revealed technical and logical security vulnerabilities but also valuable recommendations to improve your network security state.

Taking into consideration these and other factors mentioned in the article, you will be able to find a vendor with the necessary expertise and get vulnerability assessment services that fully meet your requirements.

Featured

  • 7 Reasons Why Governments Need to Regulate AI

    Recently, Elon Musk unveiled two remarkable AI applications. A humanoid robot named Optimus, with its remarkable human-like speech and movements, and a fully autonomous car, absent steering wheel and pedals, called Cybercab. While these examples represent a broad trend of AI integration across industries, they highlight technology’s transformative potential, prompting a need for regulation to ensure it is used responsibly, securely and ethically. Read Now

  • OR Code Phishing on the Rise According to New Report

    KnowBe4 recently released its Q3 2024 Phishing Report. This quarter's findings reveal the most frequently clicked email subjects in simulated phishing tests, demonstrating the continued efficacy of HR and IT-related phishing attempts. KnowBe4’s Q3 2024 Phishing Report reveals that HR and IT-related phishing emails claim a significant 48.6% share of top-clicked phishing types globally. Despite evolving techniques by bad actors, phishing emails remain among the most prevalent tools for executing cyberattacks. Read Now

  • United HealthCare CEO Killed in Targeted Attack in New York City

    United HealthCare CEO Brian Thompson was killed in a targeted attack early Wednesday in Manhattan Read Now

  • Theft, Crime Driving Retail Workers to Look for New Jobs

    More than four in ten retail workers in the U.S. say they are likely to leave their current job in the next 12 months due to personal safety concerns, according to new research conducted by the Loss Prevention Research Council (LPRC) in partnership with Verkada. Read Now

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3