Vulnerability assessments can be a very effective way of gathering information on an organizations internal security posture. The purpose is to accumulate data on any weaknesses revealed that should be proactively mitigated to prevent exploitation. There are a number of tools that can be used to carry out vulnerability assessments. Typically, a software-based tools are used to scan a selected part of an organizations infrastructure. This can range from specific areas that are exposed to the public, to entire sections of the organizations network. Sans (2001) lists four of the most common types of vulnerability scanner. These include network-based scanning tools, host-based scanning tools, database scanning tools, and wardialers.
Before carrying out any type of vulnerability scan, the first step an organization should carry out is to gather information on their people, processes, and technology. Vulnerability tools will help assessing technology, however other methods should be established to effectively gather information on business process and personnel. After the information is gathered, prioritization should begin in determining which assets are most critical that need to be addressed first, followed by implementation of mitigation strategies. The vulnerability assessment process should be ongoing within an organization. Implementation of a framework such as Homeland Security’s Continuous Diagnostics and Mitigation (CDM), should also be central to vulnerability assessment. DHS (2018). An effective CDM approach assists in prioritization and ongoing defense and protection.