Vulnerability analysis refers to processes aimed at finding any threats, vulnerabilities and risks of potential unauthorized intrusion of intruders into the IP (information system).

Vulnerability is a weak component of an organization’s IP. A threat is the possibility of a negative impact from intruders, which may lead to the compromise of commercial and other confidential information. The third party in such an analysis is an attacker who uses vulnerabilities to implement threats.

If vulnerabilities are present, this negatively affects the work of the entire enterprise, as it becomes less secure against unscrupulous competitors, it simplifies the work of hackers to cause harm and allows third parties to gain access to confidential data.

The source of the threat can be either accidental or intentional. The third option is man—made and natural factors that should never be excluded.

Each threat has its own list of vulnerabilities that an attacker can use to implement their plans.

Vulnerability analysis in the field of information security (IS)

Effective information security provides not only protection against theft of any data from the enterprise network, but also financial protection of the business as a whole. Enterprises that want to be distinguished by high-quality information security are constantly working to prevent:

• leaks of any corporate data
• remote editing of protected information
• changes in the level of protection against threats that can provoke a loss of trust among investors, suppliers, contractors, etc.

Threats can have several sources, so it is very important to classify them in a timely manner and create a scheme for their analysis. This will allow you to get the greatest coverage of potential vulnerabilities in the business processes of the enterprise.

It is extremely important to follow four principles in IB:

1. confidentiality
2. integrity
3. reliability
4. availability

Types of analyzed threats

In order to conduct a qualitative analysis of the vulnerabilities of the information structure, it is necessary to distinguish the types of threats that may arise in the system of a particular organization. Such threats are divided into separate classes.

1st grade. A potential source of threat that may be located:

• directly in the information system (IS)
• within sight of the IC (for example, devices for unauthorized sound recording)
• out of sight of the IP (interception of data in the process of sending it somewhere)

2nd grade. The impact on IP that can be:

• an active threat (Trojan, virus)
• passive threat (copying of confidential information by an attacker)

3rd grade. A method of providing access that can be implemented:

• directly (password theft)
• through non-standard communication channels (for example, operating system vulnerabilities)

The main targets of the attack on the company’s IT infrastructure:

• gaining control over valuable resources and data
• organization of unauthorized access to the corporate network
• limitation of the company’s activities in a certain area

The second method is most often implemented by order of unscrupulous competitor companies or political figures.

What exactly can pose a threat to the information security of any enterprise:

• malicious software
• hacker scammers
• insiders are employees who act with malicious intent or carelessness
• natural phenomena

There are several ways to implement the threat. For example, to intercept data, leave a software or hardware “bookmark” or disrupt the operation of local wireless corporate networks, organize access to the company’s infrastructure for insiders.

Threat probability assessment

To assess the likelihood of a threat, professionals use a qualitative scale consisting of three levels. Let’s look at them in more detail.

Level 1 — H (“low probability”)

It differs in the minimum probability of occurrence. Such a threat has no prerequisites (past incidents, motives) for it to be implemented. Threats of level H, as a rule, do not occur more often than once every 5-10 years.

Level 2 — C (“average probability”)

Such a threat is slightly more likely to occur than the previous one, because in the past, for example, there have already been similar incidents or it is known that the attacking side has plans to implement such a threat. C-level threats lead to real-life incidents about once a year.

Level 3 — B (“high probability”)

The threat has a high chance of being realized. This is confirmed by statistical information, the presence of similar incidents in the past, and serious motivation on the part of intruders. The likely frequency of level B threats is once a week or more.

Vulnerability analysis techniques

There are several ways in which you can analyze system vulnerabilities. One of them is based on a probabilistic method, and when applying it, you need to rely on the following factors:

• • the potential of an attacker (identified by expert assessments)
  • the source of the threat (where an attack is possible — in the field of view or beyond it)
  • the method of exposure (network, hardware or social)

• the object of the threat (corporate data, encryption, transmission, work with them, or company employees)

In the process of analyzing vulnerabilities in an information system, it is extremely important to take into account possible locations. To implement this, you need to quickly detect and fix errors in the operating system and software, and later systematically install all security patches from developers.

The analysis of vulnerabilities that are associated with incorrect configuration of protective equipment should be carried out regularly. The ideal solution is to set up continuous IP monitoring for vulnerabilities.
Apart from the above-described analysis, it is mandatory to carry out certain activities with the company’s working staff: grant access rights to data and resources, rights to install specialized software, as well as rights to copy information and use external data carriers.