Print Page      Email Page
< Back to Article List

Security Scanning 101
By: Laura Taylor
September 23, 2002

Network and system security scanning is the most practical way to find out what the vulnerabilities and threats are on your systems and networks. All reputable providers of this service and associated products offer a comprehensive report that describes the vulnerabilities detected, the level or risk associated with each vulnerability, and recommendations for corrective action. Examining security vulnerabilities is the first step to take in reducing site, system, and server liabilities. Here's a few things to know to help you understand what's involved.

Justification and Practical Matters
Keeping your intranet secure from cybercriminals should high on your list of priorities. No business or organization wants to lose data, or have the jewels of their corporate infrastructure destroyed by wily hackers. Also, if your business is a publicly traded company, it is particularly important to mitigate security risks to avoid liabilities with the Securities and Exchange Commission (SEC), since the SEC requires that all publicly traded companies disclose risks to shareholders.

Consulting companies that provide network and system scanning services typically refer to network and system scanning services as a Security Vulnerability Assessments. Alternatively some companies refer to this service as a Security Audit or an On-line Penetration Test.

The person responsible for keeping the systems and networks of a information technology infrastructure secure varies depending on the size of the company. This security of the corporate intranet might be the responsibility of the Chief Security Officer, the Chief Information Officer, the Director of Information Technology, or a Network Manager. Regardless of the title of the person held responsible, the process for conducting this risk mitigation process is the same.

Though most organizations recognize the need to keep their infrastructure secure, it's often the case that the person being held accountable for the security still needs to justify the cost of a full-blown security vulnerability assessment, particularly if the company has not had any security problems previously. The main purpose of a security vulnerability assessment is to provide your business with a useful report on the current security posture of your systems and networks for you to use as a guide to systematically correct the weaknesses that expose your information technology infrastructure. If you're not going to use the report to take mitigating action, there's little reason to go through the time consuming and expensive process of generating the report.

The various reasons for performing a security vulnerability assessment include the following:

  • Generate a report with risks qualified along with supporting recommendations
  • Enable corrective action
  • Avoid litigation
  • Reduce the risk of Denial of Service attacks
  • Reduce site outages and performance problems
  • Create secure and seamless information access
  • Build customer loyalty
  • Gain a competitive advantage
  • Protect your revenue stream
  • Reduce risk during mergers and acquisitions
  • Test your Intrusion Detection System
  • Qualify for Information Protection Insurance
  • Understand what products you may need to buy for future infrastructure needs

Citing these reasons is often a good way to get your organization to allocate the funds necessary to include a security vulnerability assessment into the IT budget.

Understanding the Process
Some companies may choose to audit their own network, and as long as they have the resources to do this, this approach can work out well. The advantage of performing the security vulnerability assessment yourself is that you can then re-scan your systems and networks whenever you need to, for example, if new systems are installed, or when network configurations change. The disadvantage of performing the security vulnerability assessment in-house is that your customers or shareholders may say that the audit was not done objectively. Also, the skills and experience of in-house personnel may not be as high as those of a security scanning service provider.

In the event that you may need to report your findings to an outside entity -- for example in the event of litigation, customer contractual requirements, in an annual report, or a security or accounting investigation, a report generated by an outside consultancy may be considered to be a more trustworthy form of information. Similar to how an outside accounting audit is considered more objective, some information technology experts consider an outside security report to also be more objective. Your management team needs to decide which route is the best one to take for a security vulnerability assessment -- whether to outsource it or do it in-house.

Should your company decide to outsource the service to a consulting company, the consulting company should be able to provide you with a detailed Service Level Description (SLD) that explains their own process for conducting the scan. The more details that the SLD has in it, the more likely it is that the consulting company understands the process of how to effectively conduct this service. An SLD for this type of service is typically a minimum of ten pages long, and in many cases, two or three times as long as that. The SLD should give detailed information on what tools the consulting firm uses to conduct the scan, how and when the scan is done, and what vulnerabilities and threats are scanned for, and if the vulnerabilities and threats are listed by risk level in their report. The consulting company should also be able to provide you with a sample report. Consulting companies that provide this service typically have a scanning tool, or set of tools, already selected as a result of their own due diligence in researching best-practice scanning tools.

If your business chooses to perform the scan in-house, you will need to shop around and select a scanning tool that offers leading-edge vulnerability scanning capabilities. You'll want to find out if you have to install and configure the scanner yourself or if the product is based on an application service provider (ASP) model. Typically the ASP scanners are easier to use, and when new vulnerabilities are added to their database, the updates get done on the back-end and are invisible to the end-user. The following table shows some of the leading security scanning products.

Leading Security Scanning Products
Vendor Name Product Name Vendor Web Site
Cisco Secure Scanner
Foundstone FoundScan MVS
ISS Internet Scanner
nCircle IP360
Nessus Nessus
Nmap Nmap
Qualys QualysGuard

Table 1.Leading Network Security Scanner Vendors

Whether you perform the vulnerability assessment in-house, or outsource it, if the scanner is a good one, it will generate an automated report that lists the risks in order of their severity. For each vulnerability or threat listed, a description of the exploit should be listed along with recommended corrective action. Last but not least, all reputable scanning products generate a network map. Make sure that the active connections that show up on the network map correlate with the network map your network engineers understand. If extra connections show up in the scan-generated map that were not previously known to your network engineers, it is worth investigating these questionable connectivity links in case they were set-up by hackers.

The Security Scanning Market
The network and system scanning market is a well-developed market from a technology perspective. The leading products in this market are robust and have proven capabilities. The security vulnerability assessment market is about a $400 million market with a compound annual growth rate of about 30%. It is a growing market, and the numbers of vendors who offer licensed scanning products is limited. Network Associates, a leading provider of anti-virus software and desktop tools, recently discontinued their development and sales of a scanning product called Cybercop.

Some intrusion detection/prevention vendors are starting to merge scanning databases with their intrusion detection/prevention systems. Many intrusion detection/prevention vendors are partnering with scanning companies to share vulnerability signatures and offer a packaged hybrid service of scanning and intrusion detection/prevention.

Product Challenges
Keeping pace with the daily increase of network and operating system vulnerabilities and threats is as cumbersome as keeping pace with viruses. Vendors who engineer scanning products need to have a dedicated team that updates their scanning engine on at least a weekly basis. Scanning products that are updated less frequently than weekly will lose their competitive edge. Today, leading scanners typically scan for over 1500 vulnerabilities and threats.

Vendors who engineer their scanning products to use the ASP model will offer the greatest ease-of-use to their customers. ASP scanning products can be used immediately after licensing them while traditional scanning products needs to be custom installed and configured on a network connection that is external to the customer's network. If an external network address is not currently available, and one needs to be procured from a managed service provider, setting up the scanner could take several days. Today's leading edge scanners are based on the ASP model. Vendors who offer traditional scanners are likely to migrate their product to an ASP model or will likely lose market share in the years to come.

User Recommendations
Any IT organization with valuable and private data on their network should conduct a security vulnerability assessment at least once a year. Companies that process financial transactions and medical records should conduct a security vulnerability assessment quarterly as should Federal agencies involved in national security initiatives.

Once a security vulnerability assessment has been performed, it is important to take corrective action expeditiously. If an IT organization lets a significant amount of time pass between when the security vulnerability assessment occurs, and when the corrective action is taken, many of the network connections might have changed, and the report from which the corrective action is being made may no longer be accurate.

It should be noted that a security vulnerability assessment does not replace an off-line, in person, human audit. In an off-line audit, security policies and procedures are reviewed to see if they contain best-practice and effective recommendations. Off-line security audits are also conducted to see if security processes, procedures, and policies exist, and if they are used and followed. Locking down your network is of critical importance and the off-line processes and procedural audit ensures that once your network and systems are locked down, they will stay locked down in a secure fashion. Conducting an off-line audit requires a lot more expertise on the part of the consulting company than conducting an on-line scan. Nonetheless, IT organizations can expect to pay anywhere from $30,000 to $200,000 for an online scan, depending usually on how many IP addresses are to be scanned.

All publicly traded companies, financial institutions, businesses involved in national security, and hospitals should conduct security vulnerability assessments regularly.

DHTML Menu By Milonic JavaScript