Vulnerability scanning is a critical business security control for identifying system vulnerabilities that puts information at risk. Vulnerabilities can exist at the network, operating system, database, and application levels so it is important that your vulnerability scanning tool(s) check as many of these layers as possible.
Ten Vulnerability Scanning Commandments
#1 – You shall not assume an accurate system inventory
Maintaining an accurate system inventory is a challenge even for disciplined IT shops. During the introductory phases of implementing vulnerability scans into your environment you should perform a scan of all of your internal, external, and RFC 1918 private addresses. By scanning all of your possible ranges you minimize your chances of missing systems that have not been recorded in your asset inventory or systems that have been added without authorization.
#2 – Remember the change control procedures
Vulnerability scanning is important but so is proper change control. It is important to follow disciplined change control processes for every scan so that the activity is properly documented and approved. Following proper change control procedures also helps pinpoint potential negative impact related to a vulnerability scan to a more precise time frame. For the vulnerability scanner personally not following established change control procedures could be a legitimate reason for termination.
#3 – You shall attempt to do no harm to thy own network
Performing a vulnerability scan is an inherently risky process. Until you have performed baseline scans and determined the robustness of your systems stability a cautious approach should be taken. This involves scaling up the level of the scans in addition to monitoring the systems being scanned for negative impact. Systems experiencing negative impact likely need to be upgraded or added to a scanning exclude list.
#4 – You shall configure your vulnerability scans with proper system credentials
The vulnerability scanning tool must be configured to have adequate system credentials to get the full benefit of the scan. Consult the scan setup documentation provided by your vendor to get help on the needed permissions configuration. If you fail to set up your scans with proper credentials you will get a false sense of security and only be scratching the surface of your potential vulnerabilities.
#5 – Remember thy scan frequency and make it at least monthly
New vulnerabilities are discovered on a daily basis so it is essential to schedule your scans on a recurring basis. It is good practice to define a consistent time period to perform your weekly/monthly scans to simplify change control and troubleshooting if problems occur. Regular scans are also required to validate that needed improvements have been put in place to lower the number of system vulnerabilities.
#6 -You shall not be careless with vulnerability scan information
Reports produced from vulnerability scans should be classified as high risk and access to them should be granted on a need to know basis. These reports contain the detailed information that would be attackers would love to have to compromise your systems. Do not make their job any easier.
#7 -Do not falsely accuse your system administrators
System administrators need to be partners in the vulnerability remediation process and are essential for validating potential false positives. Stay on friendly terms with them and do not assume the vulnerability scan detail is 100% accurate.
#8 – You shall document your vulnerability scan exclusion list
When a system experiences negative impact from a vulnerability scan you will often times need to add the IP address to a scan exclusion list. The decision to exclude a system from the regular scan process should not be taken lightly and should be made visible so management understands the potential risk. Creating an exception process to document these situations and keeping it up to date is a best practice.
#9 – You shall decide what vulnerability severity level to focus and report on
Many of the items detected by vulnerability scanners are more informational in nature and may not require remediation. Decide ahead of time which level of vulnerabilities you will focus and report on. I recommend starting with severe/high level vulnerabilities only and only move down once those riskier items are under control.
#10 – Do not get frustrated at lack of progress
Implementing a strong vulnerability management process takes time. Do not get discouraged if improvement results are slow to come in the beginning. Stay focused on running a disciplined vulnerability management program and build the needed connections in the IT organization to make the process sustainable.
Have you started your vulnerability management program?