With numerous vulnerability scanning tools available it’s important to make sure your chosen tool provides all the functionality you need and addresses your vulnerability management objectives. In this blog article we provide 11 checks that will help ensure you make the right choice.
There are various tools available in the marketplace that will do vulnerability scanning for you. Unless you plan on hiring a junior resource to manually scan your environment (obviously not recommended as it is a boring task, prone to error and may even increase your risk), you’ll need some sort of tool. This will typically consist of a console and some scanning engines.
Whether you are using a commercial tool and deploying scan engines or doing manual checks, placement is important. Often when tools return inaccurate findings, it is because of a placement issue. Perhaps a firewall is blocking traffic, or worse, it is providing you with some results, just not the full picture, which lulls organisations into a false sense of security. Make sure the tool can reach the relevant network segments and devices you are trying to scan. If you get the same results for a number of devices, chances are that there is a firewall interfering with the results.
Make sure your chosen tool provides all the functionality you need, such as configuration management and reporting. Keep in mind what your objectives are. If reporting is important, make sure the tool addresses this easily. If you have to drag results to a central location and then run manual reports, then that may not be the right tool for the job. Seek advice from an organisation that specialises in vulnerability management, such as Shearwater, if you are unsure.
How often should vulnerability scans take place?
Vulnerability scanning should happen as often as practical, or at least every three months. Regular rescans are also important for confirming that identified issues have been remediated, and that they remain remediated. Scans should cover everything including switches, routers, desktops, servers and printers. They should be staggered to avoid affecting virtual infrastructure (i.e. don’t start a scan simultaneously on 100 servers that are all hosted on the same physical host).
|What to scan||When to scan||Why?|
|Infrastructure||Outside of core hours||Scan critical infrastructure out of core hours to minimise the potential impact to users and customers.|
|Desktops (after testing)||During business hours||During business hours when they will be in the office.|
|Dev/test/UAT||Anytime||Due to the low potential for adverse impacts.|
This helpful advice is Best Practice #3 in our Vulnerability Management 101: 5 Best Practices for Success where you will find advice on your next steps of improving the categorisation and prioritisation of your scan data and selecting and configuring your vulnerability management tools.