Companies today face the ongoing task of securing complex information technology (“IT”) environments, while achieving their business objectives. The security threats to critical systems are ever-evolving, meaning that organisations must constantly review their assets for potential vulnerabilities that could be either inadvertently exposed or malicious exploited.
By definition, a vulnerability is a weakness, flaw, or error discovered within a system, which a threat actor could exploit in order to compromise a system. Vulnerabilities are a part-and-parcel of modern IT infrastructure. After all, computer systems are a human construction. Mistakes within the process of designing, building or coding of systems are likely to happen because, just as people are flawed, so too are the systems we create.
Moreover, the complexity of computer systems, combined with the fact that they are constantly advancing, means that securing them is a difficult, ongoing task. Even if a company is able to secure a system today, that does not mean it will be safe tomorrow. New vulnerabilities are constantly being discovered.
To combat the ongoing presence of vulnerabilities, software developers, hardware suppliers and vendors are invested in quickly patching them. Patching is the process of providing updates to IT systems, either to improve functionality or security. Whilst the system vendor will provide security patches; it is up to your organisation to apply them. Many vulnerabilities simply go unpatched, though. In 2019, for example, Ponemon’s vulnerability survey showed that 60% of breaches were linked to a vulnerability where a patch was available, but not applied.
As a further example, take the infamous WannaCry ransomware attack, which wreaked havoc on the NHS and other targets in 2017. Two months before the attack started, Microsoft released a patch that would have blocked the ransomware from taking hold. All the companies and services impacted had failed to implement the patch. In other words, the attack was entirely preventable.
Why do vulnerabilities go unfixed?
The best practice is clearly to fix a vulnerability as soon as a relevant patch is released. However, across the board, this often fails to happen or isn’t possible. Common reasons for patch delays include cost limitations, fears of disruption to the business, worries about upgrades eroding interoperability between systems and having to train staff on major software upgrades.
Moreover, because patches are often delivered at a high frequency across multiple systems, manual patching can be resource–intensive and cause system downtime. This is obviously costly for businesses – but not as costly as a breach, of course. According to Checkpoint’s Cyber Attack Trends report, 80% of cyber-attacks in 2020 exploited vulnerabilities that were registered in 2017 and earlier. It’s clear that a good vulnerability management programme can drastically reduce the risk of a cyber incident.
How to create a solid vulnerability management programme
As Benjamin Franklin once said, “an ounce of prevention equals a pound of cure”. Vulnerability management is the ounce of prevention, compared to the pound of cure that is responding to an incident. So, what does a good vulnerability management programme look like? It should be a combination of systematic scanning, using automated tooling, and regular manual penetration testing and prioritised remediation.
We have already written extensively about penetration testing in our guide to penetration testing here. For this article, we are going to focus on the other aspect of vulnerability management: vulnerability scanning, which should complement your penetration testing strategy.
What is a vulnerability scan?
A vulnerability scan is an automated process that proactively identifies security weaknesses in a network or individual system, such as out-of-date software versions or missed patches. Scans are usually performed with commercial, off-the-shelf scanning tools like Nessus or Qualys or with an open-source equivalent such as OpenVAS. These are used to scan the targets and gather information about vulnerabilities, misconfigurations, and missing updates. Because scanning is automated, they tend to be both quick and vast.
Once complete, the tool creates a report of security flaws for the IT team to remediate. These are typically prioritised based on the CVSS 3.1 vulnerability scoring methodology, which helps to prioritise remediations in order of urgency. The list of vulnerabilities is typically very long, as it includes every possible or potential issue identified without human verification, which means some insignificant issues and false positives will likely be included.
From this report, activities can then be targeted at fixing those vulnerabilities identified, as well as ensuring systems are updated and correctly configured. Examples of remediation actions include patching vulnerable systems; deploying mitigation measures for systems that cannot be patched immediately and changing system configurations.
Vulnerability scanners are not one-size-fits-all, by which we mean that there are different types of scanners available, typically categorised according to the type of target they are intended to assess.
Application scanners are further subdivided into those that target web applications and those that target native applications. Scanners also exist for a number of specialist subcategories such as cloud infrastructure, mobile applications or web applications built using a specific platform or technology.
The drawbacks of vulnerability scanners
While vulnerability scanners play an important role in vulnerability management, they are not a total solution in themselves. For starters, vulnerability scanners can only identify surface vulnerabilities. This means that they can’t assess the overall risk profile of the network or application that has been scanned. Moreover, vulnerability scans are known to generate false positives – meaning they can report vulnerabilities where none exist. For the person who interprets the scan, this often amounts to a lot of extra work, as they must manually check through all the results.
As well as this, vulnerability scans tend to detect well-known vulnerabilities, rather than nascent ones, which means that some more nuanced risks could be missed. To that end, vulnerability scanning should be part of your vulnerability management programme – but not all of it. We advise complementing vulnerability scanning with regular penetration testing.
This is a type of security assessment, where a company hires a suitably skilled penetration tester to identify real-world security vulnerabilities within its IT infrastructure, systems or applications, using a combination of tools and manual exploit techniques. Indeed, as part of a penetration test, the tester will use a vulnerability scanner to find potential exploit points.
However, penetration tests go a step further. The tester carrying out the activity will use high-value vulnerabilities and misconfigurations to validate whether an attack could successfully be mounted against the client. They will use real word exploit techniques and bespoke tooling to try and compromise the target. These will validate whether an exploit would work should a third-party threat actor get a foothold in your systems.
Penetration testing is complemented by a report at the end of the activity. This will demonstrate how vulnerabilities could be used as part of a larger, more complex attack – providing much more detail than the report of a standard vulnerability assessment.
For a detailed overview, read our article on the differences between penetration testing and vulnerability scanning.
How to deploy a vulnerability scanner
The market for vulnerability scanners is wide and varied. You can either deploy your own on-premises solution, use a cloud tool or work with a third party, who will take care of the process for you. What path you choose will depend on factors like your budget, your IT team’s level of experience and bandwidth, and your security needs.
For detailed guidance on how to get started with vulnerability scanning and management, read the National Cyber Security Centre’s Guidance on vulnerability scanning (“NCSC”).
How often should I conduct a vulnerability scan?
How often you scan will depend on your deployment model. If you have licensed a scanner to use internally, you can run scans as frequently as you like. In fact, the more frequently the better – particularly for high-risk systems like firewalls and public web servers. Many organisations use internally managed scanners at least monthly. However, the frequency must be manageable for your staff, who will be tasked with knowing how to use the tool effectively as well as the labour-intensive job of manually going through vulnerabilities, and then confirming and remediating them after the fact.
If you use a third-party provider for vulnerability scanning, then we recommend starting with quarterly scans at least. Monthly scanning is better, but quarterly scans provide a good level of coverage, without being too expensive. When working with an external provider, like Evalian, the provider will perform internal scans by coming on site, via remote access through VPN connectivity or using a remote testing appliance (virtual or physical) that the customer deploys onsite.
Finally, it’s important to highlight that, alongside vulnerability scanning, you should conduct penetration tests at least annually to complete your vulnerability management programme. If your IT systems or applications undergo a significant change or update, then you should also carry out a penetration test soon after, to ensure that these changes have not introduced any security loopholes.
If your organisation needs help running a vulnerability scan or penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions, remediations and vulnerability management from our findings. Contact us for a friendly chat.