Re: Frequency of Vulnerability Scanning - Page 2

Deyan · ‎12-05-2017

Hello folks,

I am a bit frustrated by this topic because of lots of different opinions. Let me know what do you think - how often should a company run vulnerability scans on their networks/infrastructure? I am asking about the network/server patch/hardening type of scans - not a pentest or similar. Some say - bi-weekly, others monthly, quarterly, I've even heard an annual scanning practice (in my opinion - wayyy to long). Appreciate your time.

A2jacomel · ‎01-07-2018

Monthly is Ok for All devices, and you must scan particular devices when needed.

timo · ‎01-08-2018

As all my predecessors already stated the answer is (as usual) it depends: - How fast are your admins in mitigating this? If they need 4 weeks, then you don't need to do a weekly/daily scan. - Is the scanning already well established or is there a ****load of work to do before they can even think of being "clean" or resolving "new" vulnerabilities - Are the assets in a more static (OT) or agile (Cloud, Docker) environment? Doing a quarterly scan of a docker environment is almost as useful as a daily scan on OT assets when there is a downtime only every 6 months - You should always be able to run ad-hoc scans for "trending" vulnerabilities. - Are there any restrictions that only empower you to scan in specific intervals? - Are there policies regulating this and do they make sense? This all needs to be considered and the outcome is not only company but network-specific.

A2jacomel · ‎01-08-2018

There are some vulnerabilities that can be remediated easily, for example default root or admin passwords, the use of telnet, Services not requiered as ntp server, or default snmp communities. These vulnerabilities could be activated in any momment by an administrative error, and is a good practice to detect it and remediate it as soon as possible. I think that monthly is good for this, but depend of your business hability to scan, analyze, report and correct it.

gerrydalton · ‎01-08-2018

When we updated to a new Vulnerability scanner a couple of years ago, we moved to a model where:

Externally Facing Systems (DMZ) Scanned from outside of our network: Weekly Non Authenticated

Externally Facing Systems (DMZ) Scanner from inside of our network: Weekly Authenticated

Sites/Offices/Remote Offices Scanned monthly from inside of our network using Authenticated scans

Special Groups which may need closer monitoring, weekly if externally facing.

Remediation scans (we think we fixed it but want to be sure before closing ticket), on demand as needed.

Weekly all of the various scans completed are compiled and Tickets for remediation are issued for new vulnerabilities, or updates to currently working tickets.

Caute_cautim · ‎01-08-2018

All the above, takes human resources to ensure they are up and working correctly, and this will only keep rising in terms of amount of effort and associated costs due to increased compliance requirements, regardless of whether you have to comply with Sarbanes Oxley or PCI DSS etc. The costs of compliance are increasing, as we become increasing more complex, more integrated with over 1200 + different types of technologies and associated vendors. Given the issues with WannaCry and the number of organisations, which were caught literally with their pants, surely must be warning of what is on the horizon and possibly in 2018. I believe vulnerability scanning should be constant, aligned to a known asset inventory, software licensing and support contracts, but applied in accordance to an agreed and approved baseline for your respective organisations. Passive scanning against those agreed baselines, will quickly highlight issues and semi-automate the patching of systems from authorised sources. We should be thinking more in alignment with our own human bodies immunity system, and apply the same approach to our business systems, protect them and you reduce the risk of being compromised and keep it working as your clients expect it should be resilient at all times. If you are doing testing on new solutions or devOps, there are plenty of providers who provide online formal testing capabilities, without having to go through the six week wait for a Statement of Work, before the test can commence, it should be available on demand with the space of 24 hours.

FrankNsubuga · ‎01-08-2018

Depends on your preference and appetite for vulnerability scanning and remediation. I like bi-weekly scans to track and discover devices on the network, but I prefer weekly scans for straight vulnerability scanning.

Weekly scans allow me to not only fully ultilize our tools, but paint a picture of our vulnerability landscape and the good work our team does to remediate issues to upper management. As well as this, even if you're not patching on a weekly basis, it gives you another avenue for tracking any critical patches/ advisories that might need to be applied and where they are needed (as well as blogs/ alerts). If an advisory comes out and you're scanning monthly/ quarterly, either it will be a while before you can confirm where the vulnerability is, or you might be halting production processes to scan immediately.

Edd · ‎01-08-2018

Depends on what you are using to run those vulnerability scans, what you are scanning and how intrusive the scans are.

If you are talking about a production environment, I would say weekly with Nessus (using only tests that do not require logon credentials). If a 'protected' development or office area, perhaps you can get by with every 2 weeks. If using nessus with plugins that use logon credentials, I would say maybe monthly in production and make sure people are notified to avoid unfortunate problems.

One way to figure out what the scanning tools/profiles/schedules should be is to run one scan and see how many vulnerabilities are found. If a LOT of vulns are discovered, perhaps you should run more frequent scans until the general hygiene of the network improves. Remember to update the scanner, the plugins and the profile as new issues are discovered. At least monthly.

Caute_cautim · ‎01-08-2018

All good points, all of which can be automated and scheduled on a regular basis with appropriate centralised solutions, and fully integrated into SIEM for tracking and Incident response purposes.

Deyan · ‎01-09-2018

Thank you all for your inputs - really useful.

Clayjk · ‎01-11-2018

I’d recommend monthly for internal networks and at least weekly for anything internet facing.