Vulnerability Assessment Vendors: How to Find the Right One

Vulnerability Assessment Vendors: How to Find the Right One

Learn about the key factors to pay attention to when selecting a provider of network vulnerability assessment services.

Regular vulnerability assessment contributes positively to the improvement of the security state of your company’s network. In this article, we’ll show you how to find a professional provider with the competence necessary to perform network vulnerability assessment properly.

Where vulnerability assessment can fall flat

When selecting an appropriate information security services provider, it’s essential to know the key factors to pay attention to. Before choosing the company to conduct vulnerability assessment of your network, it’s important to get the full picture of your potential vendor’s capabilities and competencies. Sometimes, due to the lack of experience, qualification, etc., vendors may fail to provide their customers with high-quality services. We mention below the most common mistakes vendors make and describe what to expect from a good vendor.

  1. Vendors miss the initial stage of clarifying significant details. Vulnerability assessment service providers who are not experienced enough may fail to ask the right questions to get the information on the specifics of your network configurations, for example, where the sensitive data is stored, how your network is protected, what rights the users need to access the servers, etc. The primary task of a qualified vendor is to help you take the right decision regarding how exactly you want your network be assessed (for example, do you want the security engineers to perform scanning from the ‘inside’ of a network or the ‘outside’?). Experienced vendors can provide you with a security assessment questionnaire at the stage of negotiations. Such questionnaires simplify estimating the scope of work for a vendor, as well as clarify whether the customer needs to be compliant with any security standards and regulations (PCI DSS, HIPAA, etc.), what security measures are already in place (firewall protection, IPS/IDS), etc. 
  2. Vendors fail to provide a comprehensive description of the whole network vulnerability assessment process. They must be ready to explain their choice of the approach for performing vulnerability assessment. The explanation doesn’t imply simply giving the list of the scanning tools being used – such information will not be valuable for you as a customer since it doesn’t give you any idea about what exactly will be assessed with those tools. A prospective vendor should be able to clearly describe the steps they are going to execute, and deliverables you get at the end of the process. 
  3. Vendors may try to cut down their costs by attracting entry-level security testing team. Such security specialists can set up a scanning tool but do not have the necessary qualification to draw up a report containing reliable information. Therefore, when assessing a prospective vendor, do not take only their portfolio (the publicly available information on the completed projects) into consideration. What you should pay attention to is the experience of the vendor’s security engineers. Focus on their certifications, published scientific papers, participation in awards programs, etc. Assess the professionals, not the company’s brand. 
  4. Vendors fail to provide their customers with recommendations aimed to remediate the revealed security weaknesses. In spite of the fact that network vulnerability assessment implies only “opening the door” to see the security weaknesses hidden behind it, the ability to point out the network’s flaws is not enough. To assess the vendor’s competence in this matter, you should have a look at the template of the final report they provide at the end of network vulnerability assessment. A well-structured report consists of two main elements: an executive summary (a brief and clear evaluation of the overall security level of your network) and a technical report (a thorough description of the activities performed by security engineers and their findings).

What types of vulnerabilities a vendor may find or miss

In the process of vulnerability assessment, two main types of vulnerabilities can be found: logical and technical. Technical vulnerabilities can be easily detected with automated scanning tools, so even the vendors with not a very high skill level can find them just by setting up a scanning tool correctly. However, only security testing professionals can detect logical vulnerabilities manually as they understand the logic according to which the customer’s network works.

Among the most well-known technical vulnerabilities are:

  • Susceptibility to SQL injection. This vulnerability means a possibility to place malicious code in SQL statements (through a web page input). A successful SQL injection exploit can provide attackers with an opportunity to access and modify, or even destroy the sensitive data in your databases. 
  • Susceptibility to cross site scripting (XSS) attacks. It’s a type of security attack when a hacker inserts, for example, a malicious script into content from other websites that your network trusts. This vulnerability may allow attackers to spread malware, phish for credentials, etc. 
  • Susceptibility to cross-site request forgery (CSRF). This vulnerability allows making a user’s web browser execute an unwanted action in the web application to which this user is logged in. Successfully performed CSRF attacks can result in unauthorized fund transfers and data leakage (stolen passwords or users’ sessions).

The most common logical vulnerability is broken access control, which is supposed to prevent unauthorized users to get to the content and functions of web apps in the network. The existence of this vulnerability may lead even to the takeover of your network by an attacker.

What a good network vulnerability assessment report should contain

The executive summary of a vulnerability assessment report should give clear information about the overall security state of your network and the detected weaknesses. This information should be easy to read and understand for managers or business stakeholders who have limited knowledge in the information security area. The technical part should contain the detailed information on the whole process and the activities performed by the security testing team, the number and types of vulnerabilities found, the list of corrective measures to remediate the revealed issues and the list of the scanning tools used. 

The way the findings are arranged plays an important role. Good vendors should not provide you with “draft” automated scanning tool findings. When scanning is over, the vendor should validate the scanning results before including the details on the revealed security weaknesses in the report. Otherwise, you may get the information on the vulnerabilities that do not actually exist and waste your time and financial resources trying to reproduce these vulnerabilities.

It can happen in the course of network vulnerability assessment that security engineers find the vulnerabilities that may be difficult to reproduce for your IT team but can be discovered and exploited by experienced hackers. In such a case, it will be convenient for you to get a step-by-step guide or a video recorded by a vendor that shows how to reproduce the vulnerability. The availability of such an option shows the vendor as competent in their field and concerned about the comfort of their customers.

How often to conduct vulnerability assessment

There are three main factors to take into account when selecting an appropriate frequency of network vulnerability assessment.

  • The frequency of audits. For example, if you need to be compliant to PCI DSS (the information security standard for companies that handle cardholders’ information), the frequency of carrying out vulnerability assessment depends directly on the frequency of audit checks your company has to go through. As a rule, an audit check is conducted quarterly. Thus, it makes sense to have network vulnerability assessment carried out each quarter prior to every audit. 
  • The frequency of major updates. Generally, the network infrastructure gets major updates several times a year. So, it’s a good practice to have vulnerability assessment performed after every such update, since the changes made to the network may lead to the appearance of new vulnerabilities.
  • Financial risks. They include financial losses in the result of business disruption, loss of privacy, sensitive data leakage, reputational damage, etc. Vulnerability assessment should be conducted at least twice a year if the company wants to prevent such events from occurring.

In summary

Choosing an appropriate vendor of vulnerability assessment services is not something that can be done in the blink of an eye. A good vendor must be able to give a thorough explanation of how they carry out network vulnerability assessment, be ready to help you decide how exactly you would like your network to be assessed, as well as have a highly skilled and qualified security testing team. Moreover, a professional vendor must be experienced enough to provide you with a comprehensive report containing not only the detailed information on the revealed technical and logical security vulnerabilities but also valuable recommendations to improve your network security state.

Taking into consideration these and other factors mentioned in the article, you will be able to find a vendor with the necessary expertise and get vulnerability assessment services that fully meet your requirements.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.