Scanning for Vulnerabilities: When, Why and How OftenPrevent threat actors from exploiting vulnerabilities in your network by eliminating the risk By: Eric Browning
If there were no vulnerabilities within a network or computer system, there would be nothing to exploit and the network attack surface would be greatly reduced. However, software vulnerabilities always exist because software is often rushed to market, and applications are developed by people, and people make mistakes, all of which allow attackers to compromise networks.
All an attacker needs is just one vulnerability to get a foothold in your network. That’s why at a minimum, you should scan your network at least once a month and patch or remediate identified vulnerabilities. Although some compliance requirements require you to scan your network quarterly, that’s not often enough. And you can’t adequately defend your network until you have conducted a security assessment to identify your most critical assets and know where in your network they lie. These critical assets need special attention, so develop a risk tolerance level for the minimum days your organization can go before those assets are scanned and patched. You can automate your scan tool to scan certain devices and web apps at specific times, but scan only after you remediate all vulnerabilities to show progress in your security efforts.
Your network scan should include all devices with an IP address (workstations, laptops, printers and multifunction printers -- which often store documents-- routers, switches, hubs, IDS/IPS, servers, wireless networks and firewalls) and all the software running on them. Unauthenticated scans reveal vulnerabilities found in services running on your system, open ports on devices that could allow malicious apps to run or communicate on them and configurations that affect security. However, it is best to run authenticated scans, which also reveal vulnerabilities in installed applications, such as Java, Flash and Adobe Reader.
The person running the scan should have a background in networking and should understand a wide range of vulnerabilities and the ways they can be exploited. The person should also understand all the major features of the scanning tool and should know which types of devices on the network might be vulnerable to the scanner itself as some devices could crash or knock the network off line from just the scan itself. Although setting up scan configurations for a range of IP addresses might take only 15 minutes or so, the scan itself could take hours, and scanning an entire class C environment with all 65,535 ports could take all day. Given this, it makes sense to run the scan at night or at a time when fewer people are using the network.
Correlating Monitoring with Scanning
When you integrate monitoring of your network and endpoints with your scanning logs, you can reduce false positives. For example, say your Intrusion Detection System (IDS) saw an exploit go over the wire towards an endpoint with an IP address 192.168.1.205. If your monitoring is correlated with your scanning data, you can easily see whether IP 192.168.1.205 had been patched or updated to mitigate the vulnerability that the exploit was targeting. If the computer was patched and the scan results were correlated with your IDS alert, you know you have a false positive. If the computer had not been patched and was vulnerable, you would know that you need to isolate the compromised device and perform incident response.
Scanning Help with a Security Partner
Many organizations lack the personnel, resources and security expertise to effectively manage vulnerabilities and remediation across their organizations. Scans can take a long time, vulnerabilities detected are difficult to prioritize and new or undiscovered vulnerabilities are often not included. Even though companies know vulnerability management is critical, many don’t do a sufficient job of managing vulnerabilities across their organizations.
If you choose to perform your own vulnerability scanning, consider working with a partner like SecureWorks, who will maintain the infrastructure needed to perform the scans. We provide you with a license to use the product and import the results of the vulnerability scans (specifically asset lists, asset properties, and vulnerabilities found) into the Counter Threat Platform for use with other services that SecureWorks may be providing for you. We can also help with prioritization of discovered vulnerabilities based on what is being most actively exploited in the wild. You’ll have 24-hour access to our Security Operations Center to assist you with implementing the scan. Alternatively, SecureWorks can manage and run the scans for you. Whether you prefer to conduct your own scans or prefer us to do it for you, we can help.