The role of cyber security experts is essential to protect yourself from eventual, but increasingly frequent, cyber threats. To this end, the Vulnerability Assessment (VA) activity allows you to analyse the vulnerabilities present in IT infrastructures belonging to one or more IT networks, in order to evaluate and highlight the possible implications related to system security. This contributes to making the IT infrastructures less exposed to possible external attacks and to the consequent possible violations of personal data (data breach) and / or business (know how).
Including a first phase in which vulnerabilities are identified using scan tools which, in the second and subsequent phase, will be categorized by type, with an assignment of the degree of severity. This practice constitutes, also in the GDPR – General Data Protection Regulation, the application of the accountability principle by a Data Controller.
The Vulnerability Assessment has the main objective of identifying and measuring, through the use of appropriate tools and assessment frameworks, the number of vulnerabilities present in a given system and their severity level in relation to the level of risk assigned to the corporate asset being analysed.
This practice makes it possible to establish whether, and possibly how, it is possible to violate the system being analysed and consequently estimate its impact on the business.
By assigning a priority scale to the evidence found and structuring the corrective actions to be carried out in a relatively short unit of time, the IT architecture analysed is restored to a state of security and compliance. This phase allows you to reproduce an attack carried out automatically (malware, viruses, kiddie scripts), however it does not take into consideration some key factors such as: deficiencies due to complexity in the management of application logic, particular configurations that present risks that are not immediately evident, traceability of user operations, architectural or process problems, obsolete or highly innovative technologies, etc.
The VA activity typically involves the use of specific tools such as: Web Vulnerability or Network Security Scanner, the results are therefore assessed on the basis of the asset being analysed and shared with the development team or the group that deals with operations.
It is desirable that the VA and PT activities are carried out together and at least annually, in order to determine the level of vulnerability of the network components exposed to the public and ensure that the defence measures are adequate in identifying and contrasting all the possible illegal actions.