I am a bit frustrated by this topic because of lots of different opinions. Let me know what do you think - how often should a company run vulnerability scans on their networks/infrastructure? I am asking about the network/server patch/hardening type of scans - not a pentest or similar. Some say - bi-weekly, others monthly, quarterly, I've even heard an annual scanning practice (in my opinion - wayyy to long). Appreciate your time.
When we updated to a new Vulnerability scanner a couple of years ago, we moved to a model where:
Externally Facing Systems (DMZ) Scanned from outside of our network: Weekly Non Authenticated
Externally Facing Systems (DMZ) Scanner from inside of our network: Weekly Authenticated
Sites/Offices/Remote Offices Scanned monthly from inside of our network using Authenticated scans
Special Groups which may need closer monitoring, weekly if externally facing.
Remediation scans (we think we fixed it but want to be sure before closing ticket), on demand as needed.
Weekly all of the various scans completed are compiled and Tickets for remediation are issued for new vulnerabilities, or updates to currently working tickets.
All the above, takes human resources to ensure they are up and working correctly, and this will only keep rising in terms of amount of effort and associated costs due to increased compliance requirements, regardless of whether you have to comply with Sarbanes Oxley or PCI DSS etc. The costs of compliance are increasing, as we become increasing more complex, more integrated with over 1200 + different types of technologies and associated vendors. Given the issues with WannaCry and the number of organisations, which were caught literally with their pants, surely must be warning of what is on the horizon and possibly in 2018. I believe vulnerability scanning should be constant, aligned to a known asset inventory, software licensing and support contracts, but applied in accordance to an agreed and approved baseline for your respective organisations. Passive scanning against those agreed baselines, will quickly highlight issues and semi-automate the patching of systems from authorised sources. We should be thinking more in alignment with our own human bodies immunity system, and apply the same approach to our business systems, protect them and you reduce the risk of being compromised and keep it working as your clients expect it should be resilient at all times. If you are doing testing on new solutions or devOps, there are plenty of providers who provide online formal testing capabilities, without having to go through the six week wait for a Statement of Work, before the test can commence, it should be available on demand with the space of 24 hours.
Depends on your preference and appetite for vulnerability scanning and remediation. I like bi-weekly scans to track and discover devices on the network, but I prefer weekly scans for straight vulnerability scanning.
Weekly scans allow me to not only fully ultilize our tools, but paint a picture of our vulnerability landscape and the good work our team does to remediate issues to upper management. As well as this, even if you're not patching on a weekly basis, it gives you another avenue for tracking any critical patches/ advisories that might need to be applied and where they are needed (as well as blogs/ alerts). If an advisory comes out and you're scanning monthly/ quarterly, either it will be a while before you can confirm where the vulnerability is, or you might be halting production processes to scan immediately.
Depends on what you are using to run those vulnerability scans, what you are scanning and how intrusive the scans are.
If you are talking about a production environment, I would say weekly with Nessus (using only tests that do not require logon credentials). If a 'protected' development or office area, perhaps you can get by with every 2 weeks. If using nessus with plugins that use logon credentials, I would say maybe monthly in production and make sure people are notified to avoid unfortunate problems.
One way to figure out what the scanning tools/profiles/schedules should be is to run one scan and see how many vulnerabilities are found. If a LOT of vulns are discovered, perhaps you should run more frequent scans until the general hygiene of the network improves. Remember to update the scanner, the plugins and the profile as new issues are discovered. At least monthly.
All good points, all of which can be automated and scheduled on a regular basis with appropriate centralised solutions, and fully integrated into SIEM for tracking and Incident response purposes.