When an enterprise begins actively monitoring its network to establish its security posture, an often-overlooked component of an enterprise’s security posture is vulnerability management. The core of that component is vulnerability scanning and subsequent remediation through patch management. Vulnerability scanning is an important part of a well-established vulnerability management program for a multitude of reasons, but the 2 main reasons are:
Scanning allows you to identify threats and weaknesses within all the devices within your network to include: routers, switches, endpoints, printers, servers and web applications. Detecting vulnerabilities and taking corrective action is important to your overall security posture and essential in protecting valued data assets from internal and external threats. An enterprise must remember, however, that maintaining an effective vulnerability management program is an ongoing process. When it comes to vulnerabilities, malicious actors benefit from automation, crowdsourcing, big data, mobile, low cost cloud computing, and other resources as much as an enterprise’s security team does. Only the bad guys have the advantage; malicious actors need to find just one unpatched vulnerability, whereas a security team must find and patch all vulnerabilities. Though a host may be safe today after a spotless vulnerability scan, a malicious actor could discover a serious vulnerability tomorrow. The result can become a game of Whack-A-Mole — an endless cycle of identifying vulnerabilities and then racing against the clock to patch them before malicious actors develop exploits for them. Therefore, an enterprise should strive towards continuous vulnerability scans to discover those constant incremental changes. An enterprise might not have the scanning infrastructure or human capital needed to conduct and analyze continuous scans of its network environment, so it may need to explore outsourcing solutions that can do this cost efficiently. Continuous vulnerability scans not only help organizations determine whether they are fixing the flaws they discover, they also help companies identify trends in the performance of the vulnerability management program, information which security managers and other executives can use to justify current and future budget allocation.
What is a vulnerability scan?
A vulnerability scan is often confused with a penetration test and the two mistakenly often used interchangeably, but they are quite different tests and processes within your vulnerability management program.
A vulnerability scan is performed by using commercial software package to scan an IP address or range of IP addresses for known vulnerabilities. A scan typically consists of four stages:
It’s important to keep in mind that a vulnerability scan is dependent on a database of known vulnerabilities to test; similarly, anti-virus software operate with the same dependency. Obviously, there are vulnerabilities that are unknown to the public at large called 0-day vulnerabilities and these scanners will not detect and offer remediation.
There are different types of vulnerability scans and each operates with a different level of thoroughness and activity. A simple vulnerability scan checks the Windows Registry and software version information to determine whether the latest patches and updates have been applied. More comprehensive and thorough vulnerability scan, such as the kind that HLC performs, involves the aforementioned simple scan and additional functionality to execute malicious code to determine whether a vulnerability is exploitable.
Vulnerability Prioritization and Patch Management
The aforementioned scan results in a report that lists out discovered vulnerabilities, their severity, and remediation steps. After vulnerabilities are identified, they need to be evaluated so the risks posed by them are dealt with appropriately and in accordance with an enterprise’s vulnerability management strategy. A vulnerability scan will provide different risk ratings and scores for vulnerabilities, such as Common Vulnerability Scoring System (CVSS) scores. These scores are helpful for enterprise to which vulnerabilities it should focus on first, but the true risk posed by vulnerabilities should consider these factors:
● Is this vulnerability a true or false positive?
● Could a malicious actor directly exploit this vulnerability from the Internet?
● How difficult is it to exploit this vulnerability?
● Is there known, published exploit code for this vulnerability?
● What would be the impact to the business if this vulnerability were exploited?
● Are there any other security controls in place that reduce the likelihood and/or impact of this vulnerability being exploited?
● How old is the vulnerability/how long has it been on the network?
Patch Management is important for the security of your enterprise and imperative to a successful vulnerability management program. There are times when patches are released just to fix a functionality issue, but often they are released to fix security issues. As soon as a piece of software is released malicious actors attempt to exploit software through vulnerabilities; when successful, there’s a subsequent need for patches and a patch management process. Patches protect your network and data from constantly-evolving malicious actors and they can only do their job if you have a system in place to discover and analyze through a vulnerability scan and manage and apply patches through a patch management process.
Stressing the importance of vulnerability scanning and patch management, malicious actors, who are looking to infiltrate and compromise networks, are using vulnerability scanners to identify weaknesses and find the easiest path to their desired goal. While a vulnerability scan and patch management are not a perfect security solution, they are tools that can help proactively identify issues and resolve them before attackers have a chance to exploit them. Most importantly, a vulnerability scan is important to an effective vulnerability management program and an enterprise’s overall security posture. However, the results of a vulnerability scan are only as valuable as the willingness to accept the results, act and remediate them. Simply identifying vulnerabilities might be enlightening, but in and of itself it does truly little to reduce your risk or improve your security.