In light of prevalent and ongoing public data breaches, understanding where an organization’s vulnerabilities are is of great importance for prevention and security. Conducting vulnerability scans are a key component in helping prevent successful external adversary attacks. In this article, I will discuss briefly what vulnerability scans are, the common types, and how they help support the achievement of SOC 2 compliance. I will close by outlining a quick overview of the difference between a vulnerability scan and a penetration test. Click here to learn about more recent breaches.
What is Vulnerability Scanning & How is it Used to Improve Security?
What is a vulnerability? Simply put, a vulnerability is a system flaw that can be exploited. How do you determine system vulnerability risk? A vulnerability scanner is a great way! A vulnerability scanner is a tool used to scan networks, servers, individual hosts, applications, etc. to check for vulnerabilities within these assets.
The results of a vulnerability scan should then be assessed and evaluated and the results prioritized for remediation by appropriate personnel within an organization. Generally speaking, the results of the vulnerability scan would be rated on a scale of low, medium, and high. In addition to a vulnerability scan, a vulnerability management program is an important process for an organization to have in place. A vulnerability management program is generally a continuous process defined and outlined to identify, evaluate and remediate or accept risks/vulnerabilities.
What Are the Types of Vulnerability Scans?
Types of scans as alluded to above include the following:
- Network Scans
- Host-Based Scans
- Wireless Scans
- Application Scans, etc.
Therefore, vulnerability scans can be extensive and against an entire network, or limited in scope such as on individual hosts like workstations or servers. Additionally, vulnerability scans can be run also against wireless networks and individual applications.
How Do You Perform A Vulnerability Scan? Types of Vulnerability Scanning Tools
There are many organizations that provide vulnerability scanning services. There are also free tools available that can be utilized internally to an organization as well. See the links below for popular types of vulnerability scans. Note: These scans should be appropriately evaluated to determine which scan or combination of scans may be the most appropriate for a given organization.
How Vulnerability Scanning Supports SOC 2 Compliance
The SOC 2 is governed by the AICPA. To that point, the AICPA does not list prescriptive controls that an organization should have in place to meet SOC 2 compliance. Instead, a listing of requirements is outlined where various types of controls can help meet the requirements.
I have listed three of the criterion below directly from the AICPA SOC 2 requirements: Having a periodic vulnerability scan on an organization’s network, web applications, etc. is highly recommended as it would not only provide critical insight for any organization it would also directly help satisfy the below criterion in support of overall SOC 2 compliance:
- CC7.1 – To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
- CC4.1 – COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- CC4.2 – COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
What is the Main Difference Between Vulnerability Scanning & Penetration Testing?
Since many may think a vulnerability scan and a penetration test are the same type of assessment, I would like to point out some of the differences. Though both assessments are similar in that they are used to identify vulnerabilities, they work differently. As described above a vulnerability scan is utilized to scan for known vulnerabilities. However, with a penetration test typically there is an individual (ethical hacker) involved whose deliberate intent is to identify and exploit weaknesses in a network or application, etc, and to circumvent the controls in place to gain unauthorized access.
If a penetrator is able to successfully gain unauthorized access, they will be able to understand where the weaknesses lie and where any necessary fixes are needed so that identified vulnerabilities are remediated. This type of test provides critical insight to the risk an organization faces. Additionally, the types of penetration testing include the following:
- Web application
- Social Engineering
- Mobile Device
- Physical Penetration Testing, etc.
Ultimately a penetration test helps an organization gain an understanding of its preparedness for a real attack. Penetration tests are recommended to be conducted periodically. Generally speaking, annually is considered a minimum best practice.
Understanding where an organization’s technical vulnerabilities are is critical to the success of an organization. If vulnerabilities are not identified and patched in a timely manner, the risk increases of a vulnerability being exploited. This could result in a breach and ultimately impact an organization’s services, finances, and reputation.
One of the standard ways to identify vulnerabilities across your network, web applications, and/or workstations is to conduct vulnerability scans periodically. Vulnerability scans can be conducted by an impartial third party, or internally by knowledgeable staff using some of the tools linked in this article above. A penetration test is also a valuable tool to provide deep insight into how an organization can prevent a future attack.
Please reach out if you would like to learn more about SOC 2 compliance requirements. Additionally, if you would like to learn more about any of our other audit services please don’t hesitate to contact us.
Olivia Refile (CISSP, CISA, CRISC, GSEC, ISO lead Auditor) specializes in SOC examinations for Linford & Co., LLP. She completed her Bachelors of Business Administration, with a concentration in Management Information Systems from Temple University’s Fox School of Business in 2010. Olivia started her career in IT Risk Management in 2010 specializing in internal, external audits as well as IT security risk assessments. Following her time in risk management Olivia moved solely into external IT Audit and is currently dedicated to performing SOC 1 and SOC 2 examinations.