We use cookies to give you the best experience on our website. You can choose which cookies you want to allow below. You can find more details in our privacy policy.
Purpose
So that the user's cookie preferences can be taken into account, these are stored in the cookies.
This web analytics tool allows us to compile user statistics about your website activity and to best tailor our website to your interests.
Data
anonymized IP address, pseudonymized user identification, date and time of the request, amount of data transferred incl. message as to whether the request was successful, browser used, operating system used, website from which access was made.
In this article, you will find out why we have introduced probability of occurrence as a new factor in vulnerability risk assessment, and how IT security assessment works in our Security Audit Platform.
In today's digital world, ensuring IT security is a top priority. It is therefore essential to conduct a comprehensive assessment and establish effective vulnerability management in order to minimise potential risks.
To achieve this goal, we have now integrated the probability of occurrence as a key factor in vulnerability risk assessment, in addition to severity.
Read this article to find out why we have introduced this new factor and how the IT security assessment works in our security audit platform.
Step 1: Performing a Security Audit
The security audit forms the basis of an organisation's overall security strategy and security assessment. We split the process into external and internal audits to analyse all potential vulnerabilities and points of attack.
External Verification
Lywand performs a comprehensive audit of (sub)domains, IP addresses and email addresses. We identify potential vulnerabilities and points of attack from an attacker's perspective on web servers, VPN gateways, mail servers and web applications. We also check whether email addresses and passwords have been compromised.
Our scanning cluster is broad-based and includes both our own scanners and open source tools. Our database contains over 120,000 vulnerabilities.
Internal Verification
We have developed an agent that scans internal targets such as client and server endpoints. It checks for best practice configurations, current patch levels based on known vulnerabilities (CVE) and basic security mechanisms such as the Windows firewall and anti-virus software.
Continuity is Essential
A security audit is only a snapshot in time, as new vulnerabilities may appear the very next day. It is therefore essential to conduct security audits on a regular basis.
Step 2: Risk Assessment of Identified Vulnerabilities
Following a security audit, all identified vulnerabilities are listed. Each vulnerability is assigned a risk rating based on its severity and likelihood of occurrence.
This content can't be displayed.
Since Youtube is a third-party software, cookies must be accepted.
Severity
We use CVSS (Common Vulnerability Scoring System) to determine severity. This score takes into account various metrics such as the impact on confidentiality, integrity and availability of data, as well as the complexity of exploiting the vulnerability.
In reality, many high severity vulnerabilities are often identified. This makes it difficult to prioritise vulnerability management. We therefore consider not only the severity but also the likelihood of occurrence.
Probability of Occurrence
To determine the probability of occurrence, artificial intelligence is used on a daily basis to estimate how likely it is that the vulnerability identified will be exploited by an attacker within the next 30 days.
This depends on a various factors such as how long the vulnerability has been known, the existence of exploit code and the existence of security scanners looking for the vulnerability.
A high severity rating alone does not necessarily mean a high risk if the likelihood of exploitation is low. On the other hand, a low severity vulnerability that is highly likely to be exploited could pose a serious risk.
This approach allows you to use your resources more efficiently and focus on the most important measures.
Step 3: Comprehensive Rating Scale
Finally, the individual risks of the vulnerabilities are combined into an overall security rating. This rating reflects the cumulative risk of the vulnerabilities, with higher risks weighted accordingly.
The resulting security rating is displayed in the security dashboard on a scale from A to F, with F being the worst rating. In the background, the rating is based on a score from 1 to 10, which is linearly correlated with the A to F ratings.
Legend
The legend assigns clear meanings to the ratings to simplify interpretation.
A - excellent An excellent level of technical security was achieved and (almost) no security vulnerabilities were discovered.
B - good Good security performance has been achieved and the IT infrastructure is equipped with reliable security measures.
C - acceptable There is an acceptable level of safety, which is above average. Nevertheless, there is potential for improvement.
D - questionable There are concerns about the security situation. There are potential risks that should be considered.
E - alarming There are alarming security vulnerabilities that could potentially be exploited. There is an urgent need for action.
F - critical Critical security vulnerabilities have been found that are likely to be exploited. Immediate action is required.
Thomas Haak
February 28, 2024
Share post
Category
Feature
Might be also Interesting
Feature
Best Practices According to CIS Benchmarks
As part of our security audits, compliance with CIS benchmarks is now also displayed. Read the article to learn more about this new feature and the added value it provides.
August 23, 2024
Feature
Whitelabeling: The Platform in Your Own Look & Feel
Whitelabeling allows you to customize the Security Audit Platform with your own look and feel. To complete the new feature, we have added another "treat": Read-only Access.
March 21, 2024
Feature
Auto Healing: Automated Vulnerability Remediation
Our new feature "Auto Healing" allows you to automatically fix up to 80% of your customers' internal vulnerabilities.
