How safe is your network? Are you sure you have taken all the necessary precautions to protect it? Let’s discuss reasons you must do vulnerability assessments on your network. But before that, you need to get the facts right.
What is vulnerability testing?
Vulnerability scans use a number of commercial tools known as vulnerability scanners to synchronize targeted systems which have the potential to harm a network or web applications. A vulnerability assessment test is a report that highlights the outcomes of the vulnerability scan according to the severity and type of threat.
These analyses are conducted through CVSS- Common Vulnerability Scoring System - which is the most widely recognized industry standard that determines the degree of vulnerability facing a network. Then there is a penetration test or ‘Pentest’ that aims at authenticating the results of the vulnerability scan. Pentest uses an empirical approach which entails verification through first-hand observation.
Internal vs. external vulnerability testing
The PCI Data Security Standard requires a network to be scanned using two independent scanning methods: internal and external. These two approaches have distinct perspectives. External vulnerability scan focuses on the risks that face the network perimeter from an outside point of view. It is like installing an alarm system outside your house. Internal vulnerability scan checks the local risks i.e. within the network. This is synonymous with the installation of motion detectors in your home.
Note that ASV does not cater for all PCI scans. If the ASV does external quarterly scans, most likely it’s not handling internal PCI scans. Even if you have installed an internal vulnerability scanning mechanism such as SecurityMetrics’ Vision, it may not be handling the required internal scans. So it is paramount to confirm whether the internal scanning is being taken care of.
The significance of periodic internal and external vulnerability scanning
Without much ado, let’s get to the point: reasons you must scan your network, internally and externally. Basically, there are two main rationales for scanning internal and external vulnerabilities.
- Regulatory compliance: there are many requirements for businesses to keep their client data safe from external threats including GLBA, HIPPA, PCI, among others
- To update software or change network: every time you change the configuration of your network, install new software or hardware, your network is exposed to external risks without your awareness
If you hire an external provider to perform vulnerability scans, they investigate all your public IP addresses to check for regulatory compliance, security errors, or misconfigurations. This type of testing employs generally accepted tools to find these errors. When an error is detected, it is logged and the process goes on to exploit those risks. Some scanning tools exploit defects that slow down the performance of a network and pull them down when the risk is severe. Whichever approach you choose, you must ensure that the necessary steps are taken to rectify the errors.
Your public network may be safe but you shouldn’t neglect the internal network. One of the biggest steps for preventing exploitations is ensuring that all misconfigurations are eliminated from your computers as well as the network servers of your company. An internal vulnerability scan should take care of this by having a tool connected to the firewall and the network to scan the entire system and take care of potential risks. The results of the scan are compiled into a report showing the issues found. The issues may be discovered on your devices which broadcast access to the network users. On the public end, the problems might be on the firewall but these vulnerabilities have a minimal risk.
The scanned vulnerabilities are grouped into categories: low, medium, and high risks. It is important for your IT department to prioritize actions that will eliminate greater risks threatening your systems. If high risks are found, they must be fixed and the network should be rescanned to ensure that the issues have been remediated immediately. That way, your clients’ and users’ data will be safe.
Running the correct number of scans is vital. Every organization, regardless of its size, is supposed to run both internal and external scans quarterly. This means that with a single target, 8 scans in a year are ideal. Traditionally, many businesses run 4 scans per year (external vulnerability assessments). But they forget or are ignorant of the fact that internal scans are important too. Some businesses ignore the internal scans because they are inconvenient while others take vulnerability scans as occasional or isolated cases for addressing immediate problems.
Always ensure that your network is 100% compliant with safety regulation rules by running 8 vulnerability scans per year. All the scans must be in a passing state. A vulnerability test- internal or external- doesn’t traverse all network files as in an antivirus product. It has to be configured to check particular interfaces for vulnerabilities such as the ports and services (external and internal IP addresses). PCI scanners include various appliances that differ significantly. A scan basically takes one to three hours depending on the environment. For instance, if the scan identifies an outdated operation system on your XP windows, it flags it as a risk. Vulnerability testing is non-intrusive i.e. it gives a summary of alerts which you must act on. The results of a scan can bring CVE numbers. These refer to common vulnerability exposure. It is advisable to learn first the National Vulnerability Database before researching CVE records. If your product doesn’t cater for this, you need to prioritize the risks.
After a significant network change, you are supposed to perform vulnerability testing. A significant change depends on the configuration of your environment. Generally, it is an upgrade and modification that can affect the network security. Normally, vulnerability testing is recommended in the following situations.
- When the risk analysis shows a high risk
- When you are not sure you are dealing with a gray area
- If you make a change that can bring new risks
If you still don’t understand the major changes that carry potential vulnerabilities, here are the examples:
- Product upgrades
- Interface changes
- Adding servers and system components
- A change of firewall product
- Adding encryption applications
- Adding middleware
- Changing firewall rules
Concerning the non-significant changes, you have nothing to worry about as long as you are running the 8 internal and external vulnerability testing per year. Small changes include a change in antivirus product, removal of terminated administrative workers, and a switch of file integrity monitoring products.
Your business is like a house whereby windows and doors are locked to keep off intruders. But sometimes, strangers can get through backdoors when you are in the front yard. The intruder can rummage through your property and take your items without your knowledge. We can relate this to hackers and malware which occur outside your firewall. Given a chance, they can get inside as well.
These external threats are well understood but not many business owners understand the risks that originate from within their internal data systems. Examples of internal threats include unscrupulous employees who target the internal network and malware e.g. Trojans and viruses which are downloaded into your computers through USBs and the internet. When the malware invades the internal systems, it starts spoiling other systems inside the network particularly those that are not identifiable from the internet.
An external vulnerability scan ensures that your external firewalls are impenetrable while an internal scan searches the interior network to ensure that the computers within your network are secured properly.