Vulnerability analysis

Vulnerability analysis refers to processes aimed at finding any threats, vulnerabilities and risks of potential unauthorized intrusion of intruders into the IS (information system).

Vulnerability is a weak component of an organization’s IS. Threat – the possibility of negative impact from intruders, which may lead to compromise of commercial and other confidential information. The third party in such an analysis is an attacker who exploits vulnerabilities to realize threats.

If vulnerabilities are present, the entire enterprise is negatively impacted because it becomes less secure against unscrupulous competitors, it makes it easier for attackers to do harm, and it allows third parties to gain access to sensitive data.

The source of the threat can be either accidental or intentional. The third option is man-made and natural factors, which should never be ruled out.

Each threat has its own list of vulnerabilities with the help of which an attacker can realize his plans.

Information Security (IS) Vulnerability Analysis

Effective IS provides not only protection against the theft of any data from a business’s network, but also financial protection for the business as a whole. Businesses that want to distinguish themselves with quality IS are constantly working to prevent:

• leaks of any corporate data
• remote editing of protected information
• changes in the level of protection against threats that could provoke loss of trust of investors, suppliers, counterparties, etc.

Threats can have multiple sources, so it is very important to classify them in a timely manner and create a scheme to analyze them. This will provide the greatest coverage of potential vulnerabilities in the enterprise’s business processes.

In IS, it is crucial to follow four principles:

1. confidentiality
2. integrity
3. reliability
4. availability

Types of threats to be analyzed

In order to conduct a qualitative analysis of vulnerabilities in the information structure, it is necessary to distinguish the types of threats that can occur in the system of a particular organization. Such threats are divided into separate classes.

1 class. A potential source of threat that can be located:

• directly in the information system (IS)
• within the IS visibility (e.g., devices for unauthorized sound recording)
• outside the IS visibility (interception of data while it is being sent somewhere).

Class 2. Impacts on the IS that may carry:

• active threat (trojan, virus)
• passive threat (copying of confidential information by an intruder)

3 class. A method of securing access that can be realized:

• directly (stealing passwords)
• through non-standard communication channels (e.g., operating system vulnerabilities).

The main goals of an attack on a company’s IT infrastructure are:

• gaining control over valuable resources and data
• organizing unauthorized access to the corporate network
• restriction of the company’s activities in a certain area

The second method is most often realized by order of unscrupulous competitor companies or political figures.

What exactly can carry a threat to the information security of any enterprise:

• malware
• fraudulent hackers
• insiders-employees acting with malicious intentions or recklessly
• natural phenomena

The threat can be realized by several methods. For example, organize data interception, leave a software or hardware “bookmark” or disrupt local wireless corporate networks, organize for insiders to access the company’s infrastructure.

Assessing the likelihood of threats

To assess the likelihood of a threat occurring, professionals use a qualitative scale consisting of three levels. Let us consider them in detail.

Level 1 – H (“low probability”)

It is characterized by minimal probability of occurrence. Such a threat has no preconditions (past incidents, motives) for it to be realized. Threats of level H, as a rule, occur not more often than once in 5 – 10 years.

Level 2 – C (“medium probability”)

This threat has a slightly higher probability of occurrence than the previous threat because, for example, there have been similar incidents in the past or it is known that the attacker has plans to implement such a threat. Level C threats result in an actual incident about once a year.

Level 3 – B (“high probability”)

The threat has a high chance of realization. This is supported by statistical information, the presence of similar incidents in the past, and serious motivation on the part of attackers. The probable frequency of occurrence of Level B threats is once a week or more often.

Vulnerability Analysis Techniques

There are several ways in which vulnerabilities in a system can be analyzed. One of them is based on a probabilistic methodology and should be based on the following factors:

• the potential of the attacker (identified through expert assessments)
• the source of the threat (where an attack is possible – in or out of line of sight)
• exposure method (network, hardware, or social)
• threat object (corporate data, means for encryption, transmission, work with them or company employees)

In the process of analyzing vulnerabilities in an information system, it is crucial to consider possible locations. To realize this, it is necessary to promptly detect and eliminate errors in the operating system and software, and later systematically install all security patches from developers.

Analysis of vulnerabilities that are related to misconfiguration of security features should be performed regularly. The ideal solution is to set up continuous monitoring of the IS for vulnerabilities. Separate from the above analysis, it is mandatory to carry out certain activities with the company’s working personnel: grant access rights to data and resources, rights to install specialized software, as well as rights to copy information and use external data carriers.