A vulnerability scan should be concentrated on compiling a complete catalogue of vulnerabilities that affected the hosts and services controlled by the target, but how do you get there efficiently and effectively?
External vs Internal Vulnerability Scans
To provide the most “bang for your buck,” a vulnerability scan should be scoped to a set of systems that can be routinely patched and you should determine if the scan should be executed against internal or external targets.
An external vulnerability scan allows you to have an overview of potential attacks that could be leveraged to gain access to internal hosts. An external scan also provides you with an update on the changing landscape of threats against your hosts and systems, as well as identifying configurations that are not secure.
Common issues including SSL misconfigurations, missing tokens, and potential injections points are found when an external vulnerability scan is conducted. While usually benign, external vulnerability scans can find previously unknown issues that an attacker may leverage to gain access to internal systems.
Internal vulnerability scans almost always have more critical and high-rated vulnerabilities compared to external vulnerability scans. Usually this is because internal systems, such as proprietary software or systems, need to be run on outdated software or are insecurely configured in order to provide the users with access to the application. This is when a list of targeted systems needs to be maintained to more accurately diagnose issues across the network and reduce noise in the vulnerability scan. This includes limiting the scan to systems that can be patched or may be high-risk/high availability.
Internal network equipment and appliances, such as Novatel appliances and printers, pose problems when configuring a scanning cycle. These targets are reactive to scanning, and may create denial of service conditions, or temporarily unusable equipment. A verified list of targeted hosts can be instrumental to creating a scan that proves useful to you and your patching cycle.
Take a look at 6 vulnerability scanning best practices.
What To Do With Your Vulnerability Scan Data
The data created by the scans should be compiled into a database and spreadsheet allowing you to view critical vulnerabilities and systems that may cause problems throughout your environment. These reports should not be taken as a “catalogue of failure” but as a tool to more accurately diagnose issues and vulnerabilities across the network.
Having a database of known issues on the network gives insight to network administrators while allowing administrators to accurately depict to executives what is affecting the network and where to focus efforts and budget.
Once an internal team has been tasked with patching and maintaining the affected systems, the report should be reviewed by each member of the team. When first reviewing the data, priority should be set to critical systems, high availability or high-risk services, and vulnerabilities that have public exploits available. The team should alert relevant developers, administrators, and project managers to the issue so that the vulnerability can be accurately diagnosed and the criticality of the system can be determined.
Learn more about how to read a vulnerability assessment report.
Remediation Planning
Once relevant members have been notified, a plan for remediation should be developed. The remediation plan is meant to provide a step-by-step process to mitigate the risk posed by the vulnerability. Many of our clients work in agile sprints, so care should be given to determining if a system should be patched this cycle and the impact it would have on the application or service.
Integrating a project manager into the remediation process can be crucial, as project manager can help give oversight into project status, impact, and timelines. Subject matter experts (SME) should be pulled in where necessary to provide insight and experience as the remediation plan is worked through. Looping in so many personnel can show gaps in the remediation process and patching cycle. Improving the process can provide long-lasting benefits throughout the process.
Once the remediation plan has been fully carried out, the vulnerability should be confirmed to have been patched. Informal retesting can be performed by the remediation and patching teams, however RedLegg offers formal retesting. Formal retesting updates the report to include the remediation taken to mitigate the vulnerability and review findings. This may be needed when a letter of attestation is needed, or if the application is high priority.
To dive deeper, check out this webinar "From Report To Remediation: Acting On Your Vulnerability Scan Results."
Working With Vulnerability Scan Consultants
Working with a consultant can provide a new pair of eyes to examine patching routines, vulnerabilities, and misconfigurations that can be hard to diagnose without previous experience. If you go with a consultant, they should be involved throughout the scanning process, to become familiar with the network, the tasks of each host, and configurations of systems.
The consultant shouldn’t be the only one analyzing the data from each scan. A list should be created to determine who has insight into the application or host, including project managers, application developers, internal remediation teams, and security groups. Involving all aspects of the remediation process will allow your consultant to evaluate the security posture of the company and provide strategies to mitigate risk that may not be obvious to the internal team. A fresh pair of eyes can open new attack paths or give advice on configurations and possible mitigation.
RedLegg’s vulnerability scanning service is meant to provide an overview of potential attack paths that a malicious actor may take to compromise a system or gain access to unauthorized information. These monthly or quarterly reports can help create patching cycles that target the most severe vulnerabilities to mitigate the most amount of risk to the network. Further, when you schedule a yearly penetration test, it allows the testing team to have a better overview of your network and potential configurations that would be beneficial to an attacker.
Whoever your consultant may be, it’s important to develop a long-term relationship. One-off scans, and testing for compliance-sake, don’t prove effective for security over time.
Reach out for a quick chat about your vulnerability scanning efforts and see how you might improve.
Or, get the latest list of critical vulnerabilities from our threat research team.
