Cybersecurity Education Series for Nonprofits – Vulnerability Assessments
In the fourth installment of our cybersecurity series for nonprofit organizations, we discuss the importance of vulnerability assessments.
Internal and external vulnerability assessments are paramount to the security of any organization, especially nonprofit organizations. A vulnerability assessment is a methodical evaluation of computer systems, networks, applications, hardware, etc. at an organization to identify risks and vulnerabilities. They are conducted by leveraging a range of tools and methods to identify and assign a risk ranking to vulnerabilities.
One of the most applicable tools in a vulnerability assessment is a vulnerability scanning tool. Organizations should have their internal hosts (i.e. – workstations, servers, and other devices that reside within a network behind a gateway) scanned via a vulnerability scanning tool at least every 30 days, while external hosts (i.e. – devices that are accessible via the internet) should be scanned at least every 90 days. Scans should be run to validate that systems are patched against the latest threats as well as verify that devices, applications, and operating systems are properly and securely configured. Internal vulnerability scans should be credentialed/authenticated scans. Authenticated scans allow an organization to gain a deeper insight into vulnerabilities, weak configurations, and/or missing patches when compared to unauthenticated scans. Scan results should be compared to patch management tool data and any differences should be investigated and resolved.
Penetration testing is also normally performed during a vulnerability assessment and acts as a good accompaniment to vulnerability scanning. Penetration testing involves someone acting as a malicious attacker would against a network for the purposes of identifying attack vectors and items that can be exploited so they can be effectively remediated.
It is recommended that an internal and external vulnerability assessments be performed at least annually or when significant changes occur to the internal or external network. Regular and prompt identification of potential risks at an organization from an IT standpoint allows for an organization to effectively monitor risks and remediate efficiently. Organizations that consistently perform vulnerability assessments have a better understanding of their current threat landscape and are better prepared to defend and react to threats.
This content was written by Javier Young, CLA’s Cybersecurity Principal.
How CLA Can Help?
CLA’s cybersecurity team has a deep understanding of the current threat landscape and can assist with internal and external vulnerability assessments. Do not go at it alone. Learn more here, and reach out if you have any questions.
Keep Pace with Our Cybersecurity Education Series for Nonprofits
Comments are closed.