Vulnerability scanning is one of the most critical responsibilities of an internal IT security team or a certified external security company. The consequences for a company that does not effectively manage vulnerabilities are severe.
Vulnerabilities and weaknesses are an open door for cybercriminals to hold your company to ransom (by installing ransomware), steal customer data, and create all manner of havoc. This can result in destroying your business reputation and in being issued severe fines by governing bodies.
To lower the risk of cybercrime, the management of vulnerabilities is a program that includes assessing and reporting on security vulnerabilities. After vulnerability scanning takes place, the necessary actions to eliminate or reduce identified threats are implemented.
The first step in this vulnerability management process is to find and identify threats through the vulnerability scanning process. Vulnerability scanning has two stages:
Vulnerability scanning step 1 – Step one uses an application to scan your organisation’s network-connected infrastructure. This network-connected infrastructure will likely include firewalls, servers, printers, switches, laptops, desktops, containers, and virtual machines. This vulnerability scanning process results in the creation of a log of all devices, the operating systems on which they run, user accounts, and open ports, as well as other installed software.
Creating the most detailed and thorough picture is essential. With threats and attacks occurring more often, it is advisable to use a certified external security company. They will have the knowledge and experience to dig deeper. The more comprehensive techniques used by certified security companies may include using default and system credentials, to produce a more comprehensive and detailed report.
Vulnerability scanning step 2 – Once phase one is complete, the vulnerability scanning process checks all items in the inventory log, against a database of known vulnerabilities. This enables the creation of a report of software and hardware weaknesses and vulnerabilities.
How does vulnerability scanning work?
Vulnerability scanning is only one step in an effective vulnerability management process. The vulnerability scanning highlights software and systems that have known vulnerabilities. However, the complete vulnerability management process includes:
- Scanning and identifying weaknesses
- Assessing the risk of identified weaknesses
- Resolving the vulnerabilities, so they are no longer a threat
- Reporting on the weaknesses found and the action taken to mitigate the threat
What your organisation needs to consider before vulnerability scanning
Vulnerability scanning and management are critical, and there are several things you will need to decide upon before instigating the process.
Scanning and identifying weaknesses – The success of finding weaknesses through scanning depends upon the scanner’s ability to identify system information, devices, software, and open ports. For success, the scanner will also need to be able to check the information found against one or more databases of known vulnerabilities.
Before vulnerability scanning takes place, your organisation should agree with the security company performing the scan, several parameters. Scanning may need to take place outside of your organisation’s operating hours or be more or less aggressive to enable the business to continue as usual.
Adaptive vulnerability scanning is another useful option to minimise the effect of vulnerability scanning on your business’s operations. The adaptive approach detects when new devices are connected to the network for the first time. This might be a new desktop or a laptop. When these events occur, the vulnerability scanner is launched automatically. The advantage to this is that you are protected against vulnerabilities straight away, instead of having to wait for the next scheduled scan.
Internal or external security team – All companies are different with their unique mix of talent and knowledge. However, vulnerability scanning and the report of weaknesses can be extensive, and hence be overwhelming if you have a small internal IT team.
Certified security companies have the expertise and teams of security professionals to tackle the job at hand effectively. They have the knowledge to recognise if vulnerabilities are false positives and can security controls already in place reduce the risk of the identified weakness.
They will also be able to determine which vulnerabilities need fixing first by assessing if it is realistic for cybercriminals to exploit the weakness. They know if physical access to your business would be required and the potential impact the vulnerability would have on your company if it were used.
Simple fixes or security patches are not always readily available, so decisions will need to be made to mitigate the risks. Your business may need to stop using vulnerable software or systems or add further layers of protection and controls. In some cases, no action is taken when the risks are extremely low.
What is the difference between internal and external vulnerability scanning?
To meet the different security compliances, internal and external vulnerability scans need to take place.
Internal vulnerability scan – These take place from inside the company’s defences and highlights vulnerabilities open to cybercriminals that gain access to your system. Internal scans also highlight the damage that could be caused by disgruntled workers or on-site contractors.
External vulnerability scan – These take place outside of your company’s defences and network. External tests evaluate the effectiveness of your network, including web application firewalls and network firewalls.
Vulnerability scanning vs penetration testing?
Vulnerability scanning focuses on finding known weaknesses and vulnerabilities. This is a vital first step for all companies that use network-connected technologies.
Penetration testing looks to find weaknesses in organisational practices, processes, and system configurations that can be exploited by cybercriminals. Penetration tests may include:
- Intercepting and then using passwords that are not encrypted over the network
- Attempting to acquire passwords from employees, through impersonating a security person or manager. This is called social engineering and tests to see if a cybercriminal can access your database.
- Gaining access to accounts through sending out phishing emails
Vulnerability scanning is vital for all companies, and we recommend using a certified cybersecurity company. OmniCyber can help contact us for more information on vulnerability scanning.