< Back to Article List
Security Scanning 101
By: Laura Taylor
September 23, 2002
Network and system security scanning is the most practical way to find out what the vulnerabilities and threats are on your systems and networks. All reputable providers of this service and associated products offer a comprehensive report that describes the vulnerabilities detected, the level or risk associated with each vulnerability, and recommendations for corrective action. Examining security vulnerabilities is the first step to take in reducing site, system, and server liabilities. Here's a few things to know to help you understand what's involved.
Justification and Practical Matters
Consulting companies that provide network and system scanning services typically refer to network and system scanning services as a Security Vulnerability Assessments. Alternatively some companies refer to this service as a Security Audit or an On-line Penetration Test.
The person responsible for keeping the systems and networks of a information technology infrastructure secure varies depending on the size of the company. This security of the corporate intranet might be the responsibility of the Chief Security Officer, the Chief Information Officer, the Director of Information Technology, or a Network Manager. Regardless of the title of the person held responsible, the process for conducting this risk mitigation process is the same.
Though most organizations recognize the need to keep their infrastructure secure, it's often the case that the person being held accountable for the security still needs to justify the cost of a full-blown security vulnerability assessment, particularly if the company has not had any security problems previously. The main purpose of a security vulnerability assessment is to provide your business with a useful report on the current security posture of your systems and networks for you to use as a guide to systematically correct the weaknesses that expose your information technology infrastructure. If you're not going to use the report to take mitigating action, there's little reason to go through the time consuming and expensive process of generating the report.
The various reasons for performing a security vulnerability assessment include the following:
Citing these reasons is often a good way to get your organization to allocate the funds necessary to include a security vulnerability assessment into the IT budget.
Understanding the Process
In the event that you may need to report your findings to an outside entity -- for example in the event of litigation, customer contractual requirements, in an annual report, or a security or accounting investigation, a report generated by an outside consultancy may be considered to be a more trustworthy form of information. Similar to how an outside accounting audit is considered more objective, some information technology experts consider an outside security report to also be more objective. Your management team needs to decide which route is the best one to take for a security vulnerability assessment -- whether to outsource it or do it in-house.
Should your company decide to outsource the service to a consulting company, the consulting company should be able to provide you with a detailed Service Level Description (SLD) that explains their own process for conducting the scan. The more details that the SLD has in it, the more likely it is that the consulting company understands the process of how to effectively conduct this service. An SLD for this type of service is typically a minimum of ten pages long, and in many cases, two or three times as long as that. The SLD should give detailed information on what tools the consulting firm uses to conduct the scan, how and when the scan is done, and what vulnerabilities and threats are scanned for, and if the vulnerabilities and threats are listed by risk level in their report. The consulting company should also be able to provide you with a sample report. Consulting companies that provide this service typically have a scanning tool, or set of tools, already selected as a result of their own due diligence in researching best-practice scanning tools.
If your business chooses to perform the scan in-house, you will need to shop around and select a scanning tool that offers leading-edge vulnerability scanning capabilities. You'll want to find out if you have to install and configure the scanner yourself or if the product is based on an application service provider (ASP) model. Typically the ASP scanners are easier to use, and when new vulnerabilities are added to their database, the updates get done on the back-end and are invisible to the end-user. The following table shows some of the leading security scanning products.
Table 1.Leading Network Security Scanner Vendors
Whether you perform the vulnerability assessment in-house, or outsource it, if the scanner is a good one, it will generate an automated report that lists the risks in order of their severity. For each vulnerability or threat listed, a description of the exploit should be listed along with recommended corrective action. Last but not least, all reputable scanning products generate a network map. Make sure that the active connections that show up on the network map correlate with the network map your network engineers understand. If extra connections show up in the scan-generated map that were not previously known to your network engineers, it is worth investigating these questionable connectivity links in case they were set-up by hackers.
The Security Scanning Market
Some intrusion detection/prevention vendors are starting to merge scanning databases with their intrusion detection/prevention systems. Many intrusion detection/prevention vendors are partnering with scanning companies to share vulnerability signatures and offer a packaged hybrid service of scanning and intrusion detection/prevention.
Vendors who engineer their scanning products to use the ASP model will offer the greatest ease-of-use to their customers. ASP scanning products can be used immediately after licensing them while traditional scanning products needs to be custom installed and configured on a network connection that is external to the customer's network. If an external network address is not currently available, and one needs to be procured from a managed service provider, setting up the scanner could take several days. Today's leading edge scanners are based on the ASP model. Vendors who offer traditional scanners are likely to migrate their product to an ASP model or will likely lose market share in the years to come.
Once a security vulnerability assessment has been performed, it is important to take corrective action expeditiously. If an IT organization lets a significant amount of time pass between when the security vulnerability assessment occurs, and when the corrective action is taken, many of the network connections might have changed, and the report from which the corrective action is being made may no longer be accurate.
It should be noted that a security vulnerability assessment does not replace an off-line, in person, human audit. In an off-line audit, security policies and procedures are reviewed to see if they contain best-practice and effective recommendations. Off-line security audits are also conducted to see if security processes, procedures, and policies exist, and if they are used and followed. Locking down your network is of critical importance and the off-line processes and procedural audit ensures that once your network and systems are locked down, they will stay locked down in a secure fashion. Conducting an off-line audit requires a lot more expertise on the part of the consulting company than conducting an on-line scan. Nonetheless, IT organizations can expect to pay anywhere from $30,000 to $200,000 for an online scan, depending usually on how many IP addresses are to be scanned.
All publicly traded companies, financial institutions, businesses involved in national security, and hospitals should conduct security vulnerability assessments regularly.
|Copyright 1997-2015 Relevant Technologies. All rights reserved | Legal and Privacy | Sitemap
Email: firstname.lastname@example.org | Tel: 240.786.4858 | Fax: 855.451.5466 | 8160 Maple Lawn Blvd, Suite 200, Fulton, MD 20759