One of the first steps to start your security program is finding out where you are the most vulnerable. Usually, the best way to do this is using a process or a tool that can track the risks associated with each individual asset that your business owns. Using a vulnerability scanner and scoring those risks is a great way to start defining the holes in your security. Vulnerability management is a critical component of managing risk within your environment. Once a risk is discovered, you can then build a plan around finding a way to plug that hole. Compliance is often another big reason companies scan their system environments for vulnerabilities. Some of the specific control mappings that are called out on the list below.
- CIS Critical Security Controls - Sections: 3 & 20.
- Cobit 5 - Sections: BAI03.10 DSS05.01
- ISA 62443-2-1:2009 - Sections: 18.104.22.168, 22.214.171.124
- ISO/IEC 27001:2013 A. - Section: 12.6.1
- NIST SP 800-53 Rev. 4 - Section: RA-5
- PCI DSS Version 3.2.1 - Section: 11.2
Health Insurance Portability and Accountability Act (HIPPA) compliance is a little different with regards to vulnerability scanning. While scanning is not a mandated requirement, a “Risk Analysis” is required. This effectively means that you are required to know your risks and test them appropriately. Most organizations show proof of this risk analysis by producing a report based off a vulnerability scan then providing a penetration test to prove that testing has been completed. For Hitrust, mentions of vulnerability scanning is peppered throughout the compliance mandate. There is a published Common Security Framework (CSF) Assessment Methodology on the best way to perform these processes of risk mitigation.
The Center for Internet Security (CIS) Critical Control #3
The Center for Internet Security (CIS) recommends the following under “Critical Security Control #3,” smaller businesses should at the very least have processes in place to update operating systems and software. This is a recommendation put forward in sections 3.4 & 3.5 of CIS guidelines. If you feel ready to step up your security game to the next level, you can start using a Security Content Automation Protocol (SCAP) vulnerability scanning tool. This type of tool can authenticate to systems with a privileged user and scan for all known vulnerabilities. This data can then be exported to provide a risk rating for all your machines on weekly basis. These tools require a high amount of expertise to understand the information, so make sure you have someone on hand to help you with the results.
Ways to Identify Your IT Risks
There are a couple of ways to use managed vulnerability scanning to uncover your risks. Scanning can either be unauthenticated or credentialed. An unauthenticated scan can be a good way for you to see what an attacker might see if they have not yet acquired a credential. These types of scans are usually performed on external, or internet facing servers since these are going to be the main entry points for attackers into your network. Credentialed scans are generally performed on internal devices because it is assumed that once inside your firewall, the attacker has already attained a credential. These scans dig deeper into the operating system registry and software versions installed on each server. The information is then compared to a database of known vulnerabilities and exploits. This data is then crafted and provided in a way that’s easily understandable from the CEO to the technical administrator.
You’re Going to Need It
Whether you’re trying to hit a compliance check box, or you truly want to implement the best security practices with your security budget, vulnerability scanning is the best place to start. Knowing what’s at risk in your environment is the first step in formulating a plan to fix those vulnerable systems and applications. Performing these assessments can also be a great way to make sure your managed services provider is keeping up their end of the bargain in terms of making sure operating system updates are applied and old versions of software are removed and updated. Just remember, a scan is only as good up until the last time it was completed. New vulnerabilities come out all the time and anyone one of them has the power to open a door to your systems. Security is a process, make sure you have a good one that includes vulnerability management of your infrastructure.
Written by Grant Codak
Grant has over a decade of IT experience spanning a variety of domains with a focus on defensive security. Grant is currently a Cybersecurity Expert at TechGuard Security where he performs a wide variety of proactive security services, including penetration testing. He also holds the following certifications: CISSP, CEH, Security+, Network+, A+, and Metasploit Pro Certified Specialist. Recent responsibilities include, a Senior Web Security Engineer at a Fortune 50 organization along with a variety of application administration roles in security operations. His past project work includes, web tool development as well as firewall and web proxy migrations. Currently at TechGuard Security, Grant conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Grant ties his knowledge together with his deep understanding of network operations and security architecture to deliver approachable report analysis to clients. Grant is also a nature enthusiast and enjoys mountain biking, hiking and kayaking.