By Mark Lanterman, Chief Technology Officer, Computer Forensic Services
Carolyn Engstrom, Director of Corporate Compliance
As discussed in my previous three articles, strong security programs are comprised of both defensive and offensive measures. Maturity assessments, security assessments, security auditing and technical vulnerability scanning are all defensive measures. However, since vulnerability scanners are often used by cybercriminals in an effort to find and exploit vulnerabilities, technical vulnerability scanning is both offensive and defensive.
A vulnerability scan is a security activity in which tools scan a particular device in order to identify flaws in operating systems and applications, misconfigured settings, and insecure ports and services. Vulnerability scanning is unique because it is not an overall component of security programs like maturity assessments, security risk assessment, or security auditing. Rather, it is a technique that is leveraged by the other components. Security risk assessments utilize vulnerability scans to identify technical vulnerabilities in organizational assets. Automated scans identify the risk impact of the vulnerability on the asset as Critical, High, Medium, and Low so that critical vulnerabilities can be mitigated on critical assets first.
Security audits look at vulnerability scanning from two perspectives, one as a control and one as a method of testing. Vulnerability scanning should be routine, considering the fact that any one scan is only indicative of security strength for that moment in time. Security auditors also use vulnerability scans to independently test for the existence of certain vulnerabilities, to confirm certain configuration settings, or the remediation of testing. Finally, vulnerability scanning is a key technique for penetration testers to identify the weaknesses that they wish to exploit.
Routine vulnerability is an easy, cost-efficient, and important control to manage vulnerabilities. Instead of a cybercriminal finding the vulnerabilities, organizations should implement the necessary tools to find these vulnerabilities first and remedy them. The Critical Security Controls ranks vulnerability scans as the fourth most critical control.
Vulnerability scanning is an ongoing process in an organization that is both offensive and defensive depending on its use. In the context of strong security protocols, it should be used both offensively, to establish strong penetration test results, and defensively, to identify and manage technical vulnerabilities before an outside perpetrator exploits them. By establishing baselines, identifying risks and threats, determining the strength of internal controls, and testing for vulnerabilities in technical infrastructure, an organization is well-equipped in developing sound plans for avoiding vulnerabilities and defensively acting against threats.
The fifth and final articles of this series will describe the process and use of penetration testing as a component of a strong cybersecurity plan. The most requested security activity, penetration testing offers the most valuable results when conducted in relation to the other components and techniques.
[clickToTweet tweet=”The Components of Strong Cybersecurity Plans Part Four: Technical Vulnerability Scanning” quote=”The Components of Strong Cybersecurity Plans Part Four: Technical Vulnerability Scanning” theme=”style3″]