As we continue down the path to successfully securing our infrastructure, we come to vulnerability scanning. This is not to be confused with penetration testing (pentesting), which may include vulnerability scanning, but then also attempts to exploit identified vulnerabilities. A vulnerability scan simply scans for security flaws in systems and devices known as vulnerabilities and reports them.
Do I really need to do this?
You may be asking yourself, do I really need to do this? I only have 3 servers and it’s a very small network, surely he’s not talking to me. Oh yes, I’m talking to everyone! Vulnerability scanning allows you to see what vulnerabilities are in your infrastructure. Keep in mind, vulnerabilities are not only within server operating systems and applications, but on network devices, IoT devices, workstations, printers, and every other computing device you have.
Internal vulnerability scanning at a low cost
Ok, now that I’ve convinced you that vulnerability scanning is something you should be doing, now what? Now it’s time to set up internal and external vulnerability scans. Setting these scans up is not a difficult task and can be done at a low-cost point. For internal vulnerability scanning, you can set up an OpenVAS server running on Linux. There is no licensing cost for Linux or OpenVAS, which is a bonus. Internal vulnerability scans should be run once monthly, if not more frequently. If you’re interested in learning more about vulnerability scanning, check out Linux Academy’s CompTIA Pentest+ course here.
What about external vulnerability scanning?
External vulnerability scans are often times performed by a vulnerability scanning service. There will be a fee, usually based on the number of IP addresses being scanned, but these only need to be run quarterly or after an edge device replacement, such as a firewall. If you have multiple sites, you could use OpenVAS to scan between sites and do away with the cost of a vulnerability scanning service. However, if you do go the inter-site scanning route, you may need to inform your ISPs about this activity so they don’t flag it as suspicious and give you a call.
Analyzing vulnerability reports
Once the vulnerability scans are set up and running, you’re not finished with this task. Now it’s time to roll up your sleeves and review the vulnerability scan reports. Work your way through the “serious”, to the “high”, and on down the list to identify all existing vulnerabilities that need to be addressed. Many of them will be remediated with patches, while others will require configuration changes. Concentrate on the “serious” vulnerabilities first, then the “high”, and so on. When you see the report, try not to get overwhelmed, as many times the first run will look pretty bad. Take your time and remediate each vulnerability that you can. If you are not able to remediate a vulnerability for some reason, look at putting compensating security controls in place to account for this vulnerability.
It’s important to maintain a vulnerability scanning and remediation schedule. New vulnerabilities are identified daily and it’s our duty to stay on top of keeping our infrastructure safe!
Other Topics for Securing Your Infrastructure: