External scans, internal scans, compliance scans, security scans, credentialed scans, intrusive scans, non-intrusive scans…the types of scanning seem endless.
It can be a daunting task to implement and maintain an efficient, effective scanning program. You must first understand the different scanning types. Then, be able to monitor them all in a timely manner. Lastly, you need the expertise to adequately address any findings across your organization.
The goal of this post is to make a major responsibility a bit more manageable – either through a deeper knowledge of how to run successful scans in-house or by refining your expectations for outsourcing thee duties to a trusted partner. So, let’s jump right in.
Vulnerability Scans look at your organization’s IPs, whether internal or external, at planned intervals. Organizations frequently use products like Nessus, Rapid7, or Qualisys paired with a SIEM to detect vulnerabilities or other issues that could be exploited. These scans should be a part of your company’s Vulnerability and Patch Management Program to confirm patching and system lifecycle management are as effective as possible.
Compliance Scans ensure a system is properly configured to your organization’s documented policy and baseline configurations in order to meet the industry standards for your compliance requirements. These scans typically include the same checks as a vulnerability scan but are typically done by a third party ‘Certified Scanning Provider’.
Non-Intrusive Scans simply identify vulnerabilities on a system and provide a report to address the findings.
Intrusive Scans attempt to exploit a vulnerability when it is found.
External Scans target the systems exposed to the Internet, including websites, ports, services, networks, systems, and applications accessed by external users or customers.
Internal Scans target your internal corporate network. They identify vulnerabilities that could be manipulated by cyberattacks or malware, making their way to your inside network.
Credentialed Scans are configured by your IT staff to login to the targeted systems with a given set of credentials. These scans will discover vulnerabilities that may be missed by traditional, non-credentialed scans. These types of scans typically use elevated privilege accounts, so these accounts must be protected as such.
Non-Credentialed Scans are the most common vulnerability scans and will yield a good baseline view of the vulnerabilities within a target environment. However, these scans are not as thorough as credentialed scans and may only provide an incomplete picture of your organization’s exposure.
Environment Scans go out and validate the topology and systems within your network. As the cloud architecture of some environments becomes more complex, scans typically require special software to identify your multi-cloud environments, IOT, mobile devices, websites, and more.
Now that we have a better picture of what scanning options are out there let’s review some of the challenges you may encounter:
- Scans are “points in time” for your company. Your organization is constantly changing as systems are added or removed, so your scanning program should have a set frequency with reporting that can provide a regular snapshot of vulnerabilities and other exposures discovered.
- Scans require human intervention even when they are automated. You need to make time to review the reports provided by the scans and plan on how to address the findings.
- Scans only discover known vulnerabilities. With this in mind, you will want to ensure your scanning system is continually updated with known faults and signatures so new ones are added as they are discovered.
Hopefully these descriptions provide a full picture of the difficulties you may encounter when implementing your own scanning program as part of your Vulnerability and Patch Management.
It’s important to remember that a successful scanning program requires:
- Teamwork – Make sure there are routes for your scanner to reach all the environments and communicate effectively to your network team, your system admin, and your security team. This workflow is critical to address the detailed findings and resolve them.
- Reporting with Risk Evaluation – If you scan and do not report, then why scan? Most products will provide industry best practices for addressing findings, so you are not purely going off of what a team member “feels” is important. Use the ratings provided, rank by the changes in your environment, and have open discussions with everyone involved.
- Tracking Success – Scanning typically has a negative view as a configuration or vulnerability is usually being pointed out to a system owner. It’s your responsibility to change this perception. Configuration standards change, vulnerabilities are released daily, and change is the heart of IT. Track your program history and ensure you celebrate the decreases in vulnerabilities.
Time to take a deep breath. We just covered a lot of information on the challenges you may encounter. Before we move onto a service LightEdge not only recommends but also utilizes, check out what the Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) is doing.
CISA began a new Cyber Hygiene program for Critical Infrastructure in 2020. (Did we mention LightEdge is recognized by DHS as Critical Infrastructure? That’s another topic we can cover later…)
With the relationship between LightEdge and CISA, we have the ability to offer assistance in the area of Cyber Hygiene for our customers. These services are at no cost to the organization or to LightEdge as these are taxpayer funded programs designed to promote the security of US companies. They provide clear reporting on the progress and effectiveness of your vulnerability and patch management programs.
Reducing the Risk of a Successful Cyber Attack
Adversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. The Cybersecurity and Infrastructure Security Agency (CISA) offers several scanning and testing services to empower organizations to reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.
- Vulnerability Scanning: Evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts.
- Web Application Scanning: Evaluates known and discovered publicly accessible websites for potential bugs and weak configuration to provide recommendations for mitigating web application security risks.
- Phishing Campaign Assessment: Provides an opportunity for determining the potential susceptibility of personnel to phishing attacks. This is a practical exercise intended to support and measure the effectiveness of security awareness training.
- Remote Penetration Test: Simulates the tactics and techniques of real-world adversaries to identify and validate exploitable pathways. This service is ideal for testing perimeter defenses, the security of externally available applications, and the potential for exploitation of open source information.
Getting your scanning program started with CISA is simple when you reach out to LightEdge for assistance. This can be as easy as putting in a support request within the customer portal or filling out a on our site. From there, a member of our compliance & security team will follow-up to assist in setting up CISA compliance scans for your organization.
LightEdge C&S will validate your IP range provided by LightEdge to be scanned and document in our systems the scans will be occurring. This is important so LightEdge teams do not mistake the scans as the start of nefarious activity. If you have additional IPs that are not part of the LightEdge services, these can be added to your scans. The LightEdge CISA contact will be part of these communications throughout the entire process.
We do recommend you read and properly acknowledge the terms of service and other agreement documentation provided by CISA and LightEdge. For those with concerns that this information could become public via the Freedom of Information Act or other means of public information requests; CISA had legislation introduced before implementing this program that makes this private data solely provided to the organization being scanned. This also means LightEdge neither receives nor retains your vulnerability information.