Vulnerability scans are particularly useful when they are an integral part of systematic vulnerability management. To ensure that ongoing IT operations do not suffer, administrators should approach the issue with caution.
- Vulnerability Scan Checklist
- Checklist Part 1: Plan vulnerability scans carefully
- Checklist part 2: Configure and set up vulnerability scan
- Checklist Part 3: Interpret the results of the vulnerability scan correctly
Vulnerability Scan Checklist
Vulnerability scan checklists are an effective means of identifying critical gaps within the IT infrastructure. Most administrators make an effort to regularly apply the latest updates and patches. But even when they take special care, holes remain open. This may be because the software manufacturers deliver the updates too late or because the automatic Windows patch management does not work one hundred percent smoothly.
In addition, there are particularly sensitive, often proprietary systems such as production control systems, which must not be patched without further ado, as otherwise warranty or support claims would be lost.
Vulnerability scans can reliably detect such gaps. But they often interfere with actual IT operations: for example, they cause high network traffic – the devices then lack the capacity to perform their actual task, or users experience delays in data traffic. In firewalls, intrusion detection, or other monitoring systems, vulnerability scans therefore quickly give the impression of an attack. In the worst case, this can lead to system failures. The use of vulnerability scans should therefore be well prepared.
Checklist Part 1: Plan vulnerability scans carefully
Clarify the general conditions
Simply running a vulnerability scan over the systems brings little benefit and many problems. That’s why administrators should clarify the framework conditions as early as possible in advance. This includes categorizing the IT infrastructure into sensitive and less critical areas, as well as the question of whether or not an external service provider should be involved. It is also advisable to list the details for the following points in a kind of project plan.
Inform those involved and affected
Above all, the company’s own IT administrators should be informed in advance when a vulnerability scan is due. Better yet, bring the admins into the project team, leverage their expertise, and coordinate closely with them on potential consequences and how to avoid them.
Determine the maintenance window
Precisely because a vulnerability scan can have an impact on regular operations, it makes sense to weigh the right timing. During regular business hours, most clients are accessible via the network, but the traffic generated by the scan can cause performance bottlenecks. Critical systems should be scanned at night or on a designated maintenance day.
Coordinate with cloud service providers
If parts of the IT infrastructure are outsourced to an external service provider, for example as a hosting or cloud solution, there is a need for coordination with the provider. In the case of shared platforms, with which most cloud services also work, a scan will hardly be possible, because the data of other customers are processed here at the same time.
Checklist part 2: Configure and set up vulnerability scan
A vulnerability scan is not a security measure on the side. Especially before the first scan, the tool should be carefully configured and adapted to the environment to be scanned. Although the scanners usually come with general basic settings, it is only the individual adaptation that guarantees that specific gaps are found.
Beware of scanner plug-ins
Most scanners offer the option of activating additional plug-ins. Anyone with little experience with vulnerability scanners should be hesitant here or consult an expert. Plug-ins may be useful, but they often burden the scanning process with additional traffic or are not sufficiently secure themselves. If the “Safe Check” option is set in the scanner, only secure plug-ins are used.
Additional scanning from the inside
Credentialed scans: If you give the vulnerability scanner login data, it can log in to the target systems and scan them from the inside. The goal is to identify vulnerabilities in applications that are not directly visible over the network. Some client or specially protected server applications cannot be scanned with a classic scan over the network.
Passively scan untouchables
In almost every company, there are systems that are either particularly critical or proprietary and cannot simply be scanned along for various reasons. Often, these are production control systems or similar embedded systems that must be maintained exclusively by the manufacturer or must not be compromised under any circumstances. Here, a passive scan can be an alternative: While an active scan specifically accesses the systems, a passive scanner continuously analyzes the network traffic via a mirror port. In this way, vulnerabilities are found without unnecessarily stressing the often sensitive embedded systems.
Checklist Part 3: Interpret the results of the vulnerability scan correctly
Evaluate results, prioritize and take action
The amount of information that a vulnerability scan brings to light is immense. A large part of it is mostly non-critical and already known to administrators. Nevertheless, without expert knowledge and experience, it is very laborious to create a valid priority list. However, a vulnerability scan is of little use if the results do not lead to meaningful measures. Consulting external experts can be useful, especially at the beginning of the work with scanners.
Scan regularly and establish vulnerability management
A scan is a good and important start. If it is carried out regularly, its benefits are multiplied. This is because continuously determined key figures allow comparisons to be made, trends to be identified, and, ultimately, predictions to be made. With experience, the workload for administrators also decreases significantly. On this basis, permanent vulnerability management can be established within IT security.
The initial outlay may seem high, but it is worth it. Vulnerability scanners reliably uncover the gaps that any patch management system, no matter how perfectly organized, can leave behind. The results of regular scans can be used to eliminate vulnerabilities, but also for further planning of the expansion and reconstruction of the IT infrastructure.