Question

1. What is vulnerability assessment useful for, what are its functions, and what do you find the most challenging about them?

Answer 1

Ans.

The Importance Of Vulnerability Assessment

Simply put, an organization can fully understand the security flaws, overall risk, and assets that are vulnerable to cybersecurity breaches. To stay protected and to counter surprise attacks, a thorough vulnerability assessment can fix the unattended security issues.

Vulnerability Assessment

• Step 1: Conduct Risk Identification And Analysis
• Step 2: Vulnerability Scanning Policies and Procedures
• Step 3: Identify The Types Of Vulnerability Scans
• Step 4: Configure The Scan
• Step 5: Perform The Scan
• Step 6: Evaluate And Consider Possible Risks
• Step 7: Interpret The Scan Results
• Step 8: Create A Remediation Process And Mitigation Plan

A statistical correlation between the observed ground motion and the damage to the residential buildings is derived for overall damaged buildings and expressed as the vulnerability function. The loss function is calculated by combining the seismic hazard with the vulnerability function.

The study of vulnerability and annual seismic hazard shows that the specific annual risk for the range of motion of 0.18 to 0.5 g is equal to 0.02. This indicates that the specific risk for semi-engineered residential buildings with a lifetime of 20 years is about 33%. This study also shows that in large cities, such as Tehran, located in seismic areas, the extent of damage according to the vulnerability function will be 45 and 70% for expected maximum accelerations of 0.3 and 0.4 g, respectively.

Here are a few common reasons we hear from across the industry regarding why vulnerability management is so difficult:

1. Limited time and resources. In some cases, patching can be time-consuming and expensive for most companies. Almost every company I know struggles to find the time or manpower to test and apply the patches. Because cybersecurity professionals often have to fight for their budgets in the first place, it can be difficult to make the case for extra resources needed to ensure all your software vulnerabilities are addressed.
2. The time to test patches. When possible, organizations should test patches on an isolated system to determine if there are any unforeseen or unwanted side effects. But, for most companies, testing patches before deployment is a luxury. Most businesses don’t have test environments to observe whether a patch will have a negative impact on production, and thus, they hesitate to patch, fearing that critical systems may be negatively impacted.
3. They can’t scale easily. Due to the complexity of some systems, installing a patch or collection of patches can be a major undertaking. Many patches require that a system be rebooted, leading to downtime on systems with high requirements for availability. For larger companies, patching can be difficult because they don’t have the software tools to automate the process across the large numbers of endpoints and servers.
4. Some systems can’t be patched. For healthcare, in particular, medical devices are often supported by the manufacturer and also regulated by the FDA. As such, companies are often forced to take a hands-off approach to this class of assets, leaving them exposed to attacks from malicious attackers.