Learn the Language of Vulnerability Assessment: Key Security Terms You Should Know

Your introduction to vulnerability assessment doesn't have to be confusing – let's go over the key terms.

When you're new to vulnerability assessment (VA) – or any other area of cybersecurity, for that matter – some aspects of the process might seem unfamiliar or confusing. This is particularly true of the jargon; cybersecurity and technology as a whole have a long list of specialized terminology. 

Now, let's be clear: You don't have to learn all of the words and their definitions from top to bottom right away. But it's important that you make yourself aware of the relevant language and key terms that security practitioners use every day while navigating the cyber trenches. Here’s a brief introduction.

The true definition of a vulnerability

Perhaps the most important point to keep in mind when learning the fundamentals of vulnerability assessment is the actual meaning of the word "vulnerability." The simplest accurate description is "any weakness in your network that can be exploited." It may be something as seemingly minor as a legacy application, or an app that's commonly used but doesn't feature the most recent patches. A vulnerability could also be a host on the network that lacks modern protections like next-generation firewalls or anti-malware features.

Keep in mind that “vulnerability” isn't a synonym for words like "malware," "virus," "trojan" or any of the other words that describe common cyberthreats. These cybersecurity hazards are often what emerge to take advantage of vulnerabilities that are present within some segment of your network or an asset connected to it (e.g., computers, mobile devices or operational technology such as network switches and control systems).

In addition to knowing the precise definition of a vulnerability, it's critical to understand that not all vulnerabilities are created equal. Some may only have minor negative effects on performance or affect only a small portion of the network. Others will pose clear and immediate danger to your environment and demand remediation as soon as possible. 

Arguably the best-known measurement for evaluating these threats is the Common Vulnerability Scoring System (CVSS),¹ a scale devised by the Forum of Incident Response and Security Teams (FIRST) cybersecurity organization. While useful for beginners and worth knowing, it shouldn't be the only score you use: Its criteria don't take into account the sheer number of vulnerabilities out there and also fail to analyze how likely it is for these flaws to be leveraged by attackers. (Tenable's Predictive Prioritization process can more effectively gauge the impact of vulnerabilities and help you prioritize vulnerabilities to devise a better management strategy.)

Understanding the taxonomy of cyberthreats 

Another point of confusion in vulnerability assessment is the broad scope of terms used to describe cyberthreats. Many cybersecurity discussions invoke the term malicious software or "malware," but those just getting to know the subject might wonder what the difference is between that word and "virus."

Functionally, there isn't much difference – viruses are malware. But malware works as an effective category name, whereas "virus" doesn't. Cyberthreats falling under the malware umbrella include:²

• Viruses: Malicious code that, once triggered through a user action like opening an attachment, can take control of existing apps within a host to "reproduce" itself and spread to other devices on a network. 
• Worms: Standalone malicious software that is also capable of self-propagation (without human intervention) to spread to other hosts.³
• Trojans: Malware disguised as programs or files a user needs.
• Spyware: Programs that monitor activity of infected computers (e.g., keystroke loggers or "formjackers," used to steal credentials).
• Botnets: Groups of automated, self-propagating applications that infect multiple machines and use them to conduct distributed denial of service attacks.

Then there's ransomware, which isn't one specific type of malware: any virus, worm, trojan or other malicious tool can fit the bill if it's used to gain leverage over a victimized organization and force ransom payments – many ransomware attacks employ data encryption or access denial as intimidation tactics.⁴

Reminder: All of those things listed above are not vulnerabilities – they're enabled by vulnerabilities.

Vulnerability assessment vs. vulnerability management

It's also important to know the difference between terms used to describe the process of mitigating vulnerabilities. For example, the terms “vulnerability assessment” and “vulnerability management” are not interchangeable. Assessment is a step in the vulnerability management process, and vulnerability scanning allows you to create the assessment. (Along similar lines, remember that Nessus Professional is primarily a vulnerability assessment solution; for an all-in-one vulnerability management suite, see Tenable’s enterprise platform products.)

Scans examine your network as broadly or narrowly as you choose: the entire network, a small number of hosts within one department of your organization or any range in between. When scanning is complete, you'll have a preliminary vulnerability assessment report, which is the foundational step that enables further investigation. Penetration tests (which are sometimes erroneously conflated with vulnerability scanning) or threat modeling may be beneficial to demonstrate how vulnerabilities work in controlled settings and map out their ultimate consequences.

After scans, tests and other assessments, you can begin to address cyberthreats across your environment, in order of their immediacy and severity. Focus on the most critical areas of potential exposure first, such as customers' financial and personal data or publicly facing systems. Mitigation and/or remediation may be as simple as patching an app or operating system, or may require more consequential actions like removing programs, disabling hosts or temporarily shutting down a network.

Balancing security and compliance

The last major terminology-based discrepancy we want to discuss is between vulnerability and compliance scanning. 

Tools like Nessus Professional can conduct compliance scans to determine adherence to cybersecurity protocols with government regulations, as well as industry standards like PCI DSS. (These scans are based on benchmarks from the Center for Internet Security [CIS] as well as certain Security Technical Implementation Guides [STIGs].) But a compliance scan isn’t a full vulnerability scan because it only searches for issues that make your system noncompliant, rather than any flaws that expose you to breach or attack. Your best course of action is to conduct both types of scans and then address their results separately. 

Ready to get started? Nessus Professional is an excellent solution for anyone who's starting out with vulnerability assessment.

Try Nessus Free for 7 Days

_{1. FIRST, "Common Vulnerability Scoring System v 3.1: Specification Document"
2. CSO Online, "Malware Explained: How to Prevent, Detect and Recover From It," May 2019
3. Kaspersky, "What's the Difference Between a Virus and a Worm?", February 2020
4. Cybersecurity and Infrastructure Security Agency, "Ransomware Guidance and Resources"}