vulnerability scanning best practices

14 Vulnerability Scanning Best Practices

To make sure you’re getting the most out of your vulnerability scanning tools, implementing some vulnerability scanning best practices can help to improve your identification of security weaknesses and improve your overall vulnerability management program.

Table of Contents

    1. Categorize Your Assets

    Categorize your secure assets

    Label your assets taking into account the type of device, the type of sensitive data that is stored or processed, how critical the device is for business continuity, and whether it is externally or internally facing.

    In addition to vulnerabilities having a critical scoring system, your devices should also have their own level of importance, which should help guide your decision-making when addressing vulnerabilities.

    For example, a medium-risk vulnerability that impacts an internet-facing critical business service may need to be addressed before a critical vulnerability that impacts a non-internet-facing device.

    2. Prioritize Your Vulnerabilities

    Prioritize Your Vulnerabilities

    Not all vulnerabilities are created equal. There is a Common Vulnerability Scoring System (CVSS) which categories vulnerabilities with a rating from 0-10, with 10 being the most critical.

    Some vulnerabilities can lead to some additional information being accessible to an attacker, which isn’t ideal, but other vulnerabilities can lead to a complete system compromise which should be given greater priority.

    Your priorities for addressing vulnerabilities should also take into account the assets that they affect. The CVSS Scoring system has options to provide further context to vulnerabilities that impact your specific systems.

    Adding Environmental metrics onto vulnerabilities allows you to grade vulnerabilities taking into account where the devices exist within your network, and the level of importance the system is to your organization.

    The CVSS calculator can help you to gain further insight into which issues to prioritize for which systems.

    Although vulnerabilities shouldn’t be completely ignored, no matter the risk rating, you can vary your priorities and your timeframes to address vulnerabilities based on how critical they are.

    A more complete description of how to prioritize vulnerabilities for your organization is provided under the post, “What Is Vulnerability Prioritization“.

    3. Consider Attack Chains With Vulnerability Prioritization

    vulnerabilities and attack chains

    Vulnerabilities often do not work in isolation. Several vulnerabilities of low or medium impact can sometimes lead to an overall critical impact on your business.

    This is often referred to as an attack chain, where a theoretical attacker may gather information or access from one vulnerability and use it in combination with other issues to highlight a critical security threat.

    Where possible your vulnerability priorities should take into account these attack chains. This may lead to a vulnerability listed as Medium impact being treated with similar priority to that of a high-risk issue due to the knock-on impacts that this Medium can have when combined with other issues.

    Understanding these attack chains and where they are can be a difficult process in itself, while some scanning tools aim to simulate and visualize this information, a security consultant or penetration tester may be able to better demonstrate this process.

    4. Have an Alert and Response Process

    Vulnerability Response Process

    Where new vulnerabilities are identified, particularly where Critical vulnerabilities are found to be affecting critical infrastructure, plan out a rapid response process where the vulnerability can be fixed within a short timeframe.

    In a similar vein, update and upgrade schedules should also have a process in place to ensure your devices can be upgraded where necessary.

    As patches are released by vendors or systems become end-of-life and need to be replaced, having a preapproved plan and process to carry out these update tasks is important for maintaining your organization’s security.

    5. Choosing the Right Vulnerability Scanning Tools

    Choosing Vulnerability Scanners

    While the tools you use need to contain the features you want and cover the devices you have, it is also important to understand more about the company that developed these tools.

    Does the company developing these tools, adhere to best practice security standards and practices, do they also have a secure development process? How many of the known types of vulnerabilities in the world will the vulnerability scanner identify?

    Accredited companies will typically advertise the standards they adhere to, so they can verify that they practice what they preach.

    Where a company has no development standards and does not follow security best practices, it may raise questions about the validity of its scanning tools and the results you will receive.

    For a more in-depth review of two different scanning tools, a comparison of Nessus and OpenVAS can be referred to here.

    6. Making Sure Your Scans Have Enough Coverage

    Vulnerability Scan Coverage

    It’s important to gain complete coverage of your devices for security testing. Where you have gaps in your coverage you have gaps in your security.

    However, one vulnerability scanner may not be enough to cover every type of device or service you have. It may be necessary to invest in several scanners which each have dedicated purposes, to ensure you have complete coverage of your systems.

    Alternatively, a vulnerability scanning service managed by a third party may be able to provide multiple scanning tools and services to cover all your systems, although you may have to trade more frequent scans that you control for complete coverage of your systems.

    If looking into your own tools some of the broad categories that you can look into include:

    Internal Network Scanning

    A good internal network scanning tool should be able to cover all your devices that have IP addresses and conduct an overall network discovery scan to find any devices that are present.

    Although not every scanner may be able to conduct an authenticated scan or configuration review for some more obscure devices, an unauthenticated scan should be available as a minimum option.

    The following list details vulnerability scanning tools that may be considered as options for your internal network scanning process, Network Vulnerability Scanning Tools.

    External Network Scanning

    Similar to internal scanning, an external network scan should be able to cover all of your devices that present an IP address. Ideally, authenticated scanning and configuration reviews will be an option to ensure you have configured your devices to recommended best practices.

    A discovery scanning process is also often featured for external network scans which aims to map out your external attack surface.

    This process can include searching for subdomains that are in use, checking for a recorded data breach containing records of your organization, and looking up records for evidence of compromised accounts and passwords.

    Web Application Scanning

    For Web Application scanning tools, the right tool can vary based on your specific application. Some tools are better for conducting API security tests, while others focus on specific platforms such as WordPress.

    If your application is set up with multiple user accounts and permission levels assessing the security of your applications from these different attack vectors is important. Authenticated scanning should be required as a feature of your vulnerability scanner.

    Your specific scanner should meet your requirements but should also include minimum standards such as testing against the OWASP Top Ten and comparing third-party solutions against known vulnerability databases.

    Cloud Environment Scanning

    Where you have migrated your infrastructure and services to the cloud, making sure you have secured these systems and not moved your vulnerabilities to the cloud is vital.

    Depending upon your specific cloud setup, you may have hosted infrastructure, or be running critical business services.

    Your chosen cloud scanning tool should be able to assess each of these systems for vulnerabilities and also conduct a configuration review, ensuring no insecure settings are in place and you are adhering to recommended best practices.

    Secure Code Analysis And Scanning

    If your organization focuses heavily on development, it can be both cost-effective and time-saving to ensure you are sticking to secure coding practices.

    If you have completed a series of development sprints and are nearing the end of a project, conducting your first security test at this point may lead to backtracking and having to fix issues in all of your previous work.

    Managing your security weaknesses as you progress through the development project will be more beneficial.

    Your secure coding tool should ideally review your code for potential security flaws as you are creating it, and be able to cover security testing at the same time you are completing functionality testing. Ideally, this tool should also work between your development teams allowing for collaboration.

    7. Make Use of Discovery Scans

    Discovery Scanning

    While you may have a good idea of the systems and assets that make up your business, it is still possible for services to be set up when installing another program, old devices, and services to be forgotten about, or systems setup for a “test” which have since been forgotten about and were never added to an asset register.

    Discovery scans for your internal, external, and cloud environment can help to find those systems that are still lurking, allowing you to close down any unnecessary systems and to correctly secure those you still need.

    8. Setup Authenticated and Unauthenticated Scans

    Authenticated and Unauthenticated Scanning

    It can be important to understand your security from different perspectives and attack vectors, this can help to provide context and allow you to prioritize your vulnerability management process.

    Unauthenticated scans allow you to understand the security of your devices from the perspective of an external threat or user with minimal access permissions, which may highlight some of your most direct and immediate threats.

    An authenticated scan can help you to understand the overall security posture of your device, how it is configured, the systems and services running on it and their potential security flaws, and the user accounts and permissions configured for the device. This information allows you to greatly improve the security of your devices over time, ensuring that any potential threat is mitigated.

    9. Conduct Regular and Frequent Vulnerability Scans

    Regular Vulnerability Scanning

    Vulnerabilities are continually identified and reported. Over 11 thousand vulnerabilities have been reported so far this year, as of 18th April 2024, to the National Vulnerability Database.

    Only conducting an annual check-up of your security leaves a large amount of time where your devices may be vulnerable and you are unaware of this.

    Increase your vulnerability scanning frequency to conduct more regular vulnerability scanning or continuous scanning. The frequency of scanning should also vary depending on the types of devices.

    More critical systems should be subject to a vulnerability scan more frequently as an issue impacting this type of system can be more impactful to your business as a whole.

    Where there are concerns over the vulnerability scanning process impacting bandwidth consumption and network performance, you can implement a security strategy to scan sections of your network on a rotating basis rather than scanning all devices at the same time, to ensure complete coverage but relieve network performance issues.

    10. Configure Scans To Meet Compliance Standards

    Compliance Vulnerability Scanning

    Where your company adheres to different security compliance standards, there is often a requirement for vulnerability testing, as well as requirements for the secure configuration of your devices.

    Beyond only identifying vulnerabilities, your scanning tools should allow you to conduct authenticated scans of your devices, set configuration standards for your devices to adhere to, and produce a non-compliance issue where your devices do not conform to your requirements.

    Where your devices then need to be reviewed by an external compliance assessor you should have proactively addressed any potential issues which may have impacted your compliance review.

    11. Vulnerability Assignment and Management

    Vulnerability Assignment and Management

    Vulnerability scanning tools will identify vulnerabilities, but this is only the first step.

    • After Identification, the issue needs to be reviewed to ensure its accuracy and its potential threat to your business
    • The vulnerability should then be assigned to the appropriate individual or security teams to be addressed, with a timeframe determined for when the issue should be addressed.
    • Once fixed, this information should then be reported and the device rescanned to verify the fix is in place.

    Each of these steps forms part of an effective vulnerability management program and is an important part of using vulnerability scanning tools. Without a process in place to address issues, review, and verify the results the reported vulnerability on its own can be useless.

    Some vulnerability scanning tools are designed to be a comprehensive vulnerability management program and include features to track devices and vulnerabilities over time, allow for vulnerability assignment to teams, and aid with the patching process.

    These features can be particularly useful when companies are building a vulnerability management solution from scratch, however where you already have systems in place, choosing a scanning solution that can integrate with existing management systems may be a preferred option.

    12. Document and Track Scan Results Over Time

    Document and Track Vulnerabilities

    It’s important to understand your progress over time when conducting vulnerability scans, managing the results and producing detailed reports is useful to demonstrate this.

    Being able to track the number of your devices and vulnerabilities over time allows you to understand where your security weaknesses are and where problem areas continue to develop.

    Tracking your vulnerabilities and remediation efforts also allows you to identify areas of your business with faster response times and areas that are slow to respond to security alerts.

    This can help to guide and improve your vulnerability management process over time and focus on areas of your business that are slower to respond.

    These areas of your business may be due to critical infrastructure, concerns over business continuity, or lack of redundancy in systems limiting opportunities for patching windows. Identifying the problem areas can help you to fine-tune your security strategy to improve these issues over time.

    13. Security Training and Awareness

    Security Awareness Training

    Where your vulnerability scanning tools are configured as intended, this can often become meaningless where your teams are not aware of their role in the vulnerability management process, are unfamiliar with the security tools themselves, are not prepared for running vulnerability scans, or are not informed when responding to vulnerability alerts.

    Having a standard training and education process for your teams, for when they start their roles can ensure everyone has a good baseline security knowledge.

    Conducting regular refresher courses where necessary or where you implement changes to your processes can also help ensure your teams are kept informed and updated on their roles and responsibilities.

    Simulated incident response exercises can also help to ensure your teams have familiarity and real-world practice for responding to various security incidents and threats when they do occur.

    14. Recognize the Limitations of Your Vulnerability Scanners

    Limitations of vulnerability scanning

    While a combination of vulnerability scanning tools can provide coverage for all of your organization’s assets, it is important to understand where their limitations are to avoid a false sense of security.

    Vulnerability scans can still be prone to false positives, where vulnerabilities are incorrectly reported, however, worse than this, there can also be false negatives. This is where a vulnerability exists which goes unreported by your security scanner.

    Conducting a regular vulnerability scan may account for these false responses, however, there are also types of vulnerabilities that vulnerability scanners are often not able to identify.

    Web Application vulnerability scanners commonly struggle to identify categories of vulnerabilities known as Insecure Direct Object Reference (IDOR) and other types of vulnerability scanning tools have their own limitations and blind spots.

    To account for this, vulnerability scanning tools can be backed up with less frequent penetration testing services to ensure a manual review of your systems is conducted and that vulnerabilities are not being missed from your reports.

    Conclusion

    Vulnerability management program

    Vulnerability scanning is an ongoing process and an integral part of maintaining your organization’s security. With a range of tools available, some of which are free to use, there is a wide range of options for businesses of all sizes and budgets to begin implementing a vulnerability management solution.

    While not every business may have the budget for every tool and every security solution, it makes it more important to implement vulnerability scanning best practices where you can and to maintain your knowledge and awareness of potential risks and security threats that your organization may face.

    Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.

    Similar Posts