As security breaches (such as these HIPAA security breaches) become more common and costly, it is important to understand ways to prevent breaches. Recently, we came across a scenario where a company was not using a vulnerability scanner to scan their development environment for secret credentials, thus making the secret credentials not so secret. The intruder was able to take the secret credentials and ultimately breach the production environment. In this instance, a vulnerability scanner that searches for these types of vulnerabilities in the development environment would have prevented this scenario and attack.
Whether you are a developer or management making decisions, it is important to understand the types of vulnerability scanners and how to decide which ones are best for your company. In this article, we will cover types of vulnerability scanners (including the most common) and how to select the right scanner(s) for your company. You do not want to be in the position as the company discussed above.
Vulnerabilities & Prevention
A vulnerability is any weakness in your security program, system design and implementation, and/or internal controls that could lead to a breach or exploitation of your company’s security policy. A security breach from a vulnerability can happen internally or externally.
One way to prevent a vulnerability in your security program is a vulnerability scanner. A vulnerability scanner is an automated tool used to scan information technology assets (including but not limited to servers, workstations, firewalls, and databases) to identify weaknesses or vulnerabilities. These tools can provide details about the vulnerability(s), risks, and how to mitigate the vulnerability(s). Before purchasing a scanner, it is important to understand the different types and what they are used to scan for.
Types of Vulnerability Scans – A Closer Look
There are several types of vulnerability scans that a company can implement. There is not just one solution that can help protect your company, and detect and mitigate vulnerabilities. Below are the most common types of vulnerability scanners:
- Network-Based Scanners – These types of automated tools scan systems on a wired or wireless network to identify possible weaknesses or vulnerabilities. The network-based scanner mimics an intruder and identifies weaknesses in your assets on the network. Examples of vulnerabilities identified by these types of scanners are weak passwords, inaccurate system configurations, or unauthorized remote access servers.
- Host-Based Scanners – These types of scanners are very similar to network-based scanners; however, they provide a different perspective. Host-based scanners mimic that of an inside user who has a local account. They help detect risks from a user/internal view. These scanners can provide insight into the level of damage that can be done by the insider once the level of access is obtained by the attacker.
- Wireless Scanners – These scanners are used to detect unknown access points and to determine if the company’s network is secure.
- Database Scanners – These tools are used to scan a company’s database for weaknesses in your security profile that would allow an attacker to access a company’s data. Those weaknesses may include deficient security settings or a lack of encryption. Database intrusions can be the most detrimental to a company’s reputation, as an attacker can gain access to client data, which could lead to confidentiality concerns.
- Application Scanners – These types of scanners are the most commonly used. They are used to scan your applications for security weaknesses. Applications are ever-changing and updated regularly which leads to new vulnerabilities. Application scanners examine websites or mobile applications to detect software vulnerabilities or misconfigured settings on the application. Read here to learn more about potential mobile security threats.
How to Select a Vulnerability Scanner
Now that we have covered the types of scanners, it is important to understand the characteristics to look for in a quality vulnerability scanner. Your tool should be able to perform three main functions.
- Discover/detect
- Assess
- Prioritize
The following characteristics will assist in determining which scanner is right for your company.
Asset Identification
It is crucial that your scanner identifies your vulnerable assets and their weak points. Your tool should have the ability to automatically identify your IT assets. This will also help you understand if there are other types of scanners (discussed above) that will need to be implemented depending on the assets identified.
Scanning Abilities
There are two different types of scans that can take place; an authenticated scan or a non-authenticated scan. The authenticated scan is executed by a verified user that has authentic access to the system. The non-authenticated scan uses outside information and queries to detect vulnerabilities. Each type will detect different vulnerabilities so you will want to understand the type of scan capability the scanner has.
Dashboard Reporting
It is important that your scanner has a dashboard that makes it easy to identify vulnerabilities and provides reporting on those vulnerabilities that are relevant to your company. This leads me to my next point of the assessment and management of the vulnerabilities.
Vulnerability Assessment & Management Tool
Once the vulnerabilities are identified by the scan, you will then need to assess and manage the vulnerability. A vulnerability scan of any type can return many weaknesses that you will need to address and possibly manage going forward. In selecting your tool, your provider should offer a mechanism to assess the risk, give it a risk rate, and then manage the risk going forward.
Challenges of Using a Vulnerability Scanner
The biggest challenge of using a vulnerability scanner is the sheer amount of possible false positives and possibly negatives. These can be time-consuming and take manpower that a company may not have. They can alert and create a panic that may compromise your security program. It is important when selecting a tool that they have the most up-to-date software and relates most to your security program.
Another challenge created by automated scanners is how they affect your systems and networks. Continuous scanning can slow down your systems which could lead to disruptions or crashes. To prevent this, scans must be scheduled or performed during slow traffic times and limit the number of scans taking place at one time.
Summary
The success of your company heavily relies on your ability to continue operations. Vulnerability scanners can aid in your company’s endeavors to maintain its credibility and reputation by identifying vulnerabilities and decreasing your risk of breaches.
It is important you understand the types of vulnerability scanners and what they monitor and detect. It is also important that you understand what types will work for your company. A vulnerability scanner is not a one size fits all and certain types or brands may be better for you than others. More often than not, you may need more than one type of scanner. Understanding what the scanner has to offer is important when selecting a tool. While vulnerability scanning may come with challenges, the pros outweigh the cons.
If you are looking for additional guidance regarding vulnerability scanning, or need assistance for an upcoming audit, please reach out to our team at Linford & Company.
Jessica Kiel joined Linford & Company, LLP in 2023 and she came with over twelve years of experience in internal controls, SOX, controls over Financial Reporting (ICFR), SOC1, SOC 2, Third Party Assurance, and attestations/examinations based on PCAOB or AICPA standards. Jessica began her career with Deloitte in 2011 where she served in a leadership role for the last eight years. Jessica graduated from Southern Illinois University-Carbondale with a Bachelor’s of Science in Accounting and a Masters of Accounting.