External Vulnerability Scanning - Best Practices

BY Callum Clark / ON Nov 09, 2021

Vulnerability Scanning isn’t rocket science, anyone with an internet connection and device can search for and find a tool within minutes.

Vulnerability management, on the other hand, can be complex and time-consuming. When it comes to protecting your business, vulnerability management should be high up on your priority list, so that there is a uniform approach across the business for identifying and dealing with vulnerabilities within your estate.

Vulnerability scanning is a key component of vulnerability management as it allows you to evaluate your systems and infrastructure for unpatched vulnerabilities or areas in need of some TLC. 

What is a vulnerability scan anyway?

The best way to think of a vulnerability scan is like a birds-eye view of your network security, it allows you to identify vulnerabilities but will not actively do anything to exploit them as a penetration test might.

Vulnerability scanning is a great way to find any of the low-hanging fruit hackers love. It’s a bit like walking around your house checking that all the doors and windows are closed and locked before you leave for work. Simple, but incredibly important.

Essentially, you point a vulnerability scanner at an asset like your web server, email server, website etc and it will check that all the doors are windows are closed and locked, so to speak.

OnSecurity Scan

Vulnerability scanning vs Pen-testing

A vulnerability scan is a small subset of what happens in a pen-test. You could consider a vulnerability scan to be a check that the doors and windows of your house are locked. A pen-test is the resistance of your locks to a professional lock-pick.

We’ve written about this in-depth here.

How often should I be running vulnerability scans?

In short-  as frequently as you can, the more the merrier.

Although, the frequency with which you perform vulnerability scans does depend on a number of variables such as, compliance standards, different security goals and if your organization is looking to maintain a high level of security then I’d suggest that you be doing this monthly, at the very least.

You can go ahead and read lots of different articles on this matter that will debate between weekly and quarterly scans as a minimum.

But just think about all the changes that can happen in a 3 month period such as

  • New vulnerabilities (just because you haven’t changed anything, doesn’t mean you’re in the clear)
    Infrastructure changes

  • New software, firmware and OS updates

Frequent scanning can mean vulnerabilities arising between scans have less time to be exploited by malicious actors. We call this the ‘risk window’. The smaller your risk window, the less at risk you are.

90 days is a long time in information security; in September 2021 alone 1913 vulnerabilities and exploits were published!

Scan all the things

I don’t say this jokingly, scan everything that touches or interacts with your eco-system as failing to scan every device can leave you vulnerable to weaknesses and unidentified vulnerabilities.

Knowledge is key in the vulnerability scanning game and the more you know about your assets and their potential weak points, the more security ready you are going to be as you go about remediating these issues.

Create accountability for assets

Creating a list and assigning asset owners will allow you to determine who is responsible for keeping a certain device patched, the maintenance of the device and also who is the affected audience if that device is compromised.

This shouldn’t be limited to just technical teams, there should be an owner within the business who is specifically responsible for each system that you use. 

Document scan results

Whenever a business undertakes a vulnerability scan they are scheduled within a timeframe that has been approved by management and other stakeholders.

With this should be an audit process mandated to provide detailed reports covering each scan and its results.

By documenting the scan run according to its approved timetable, your organization can track vulnerability trends and issue recurrence.

By using tools such as Scan by OnSecurity users have access to live reporting on vulnerabilities and all their information is presented and stored in one intuitive dashboard. 

Remediation of vulnerabilities

After you’ve run your vulnerability scan, it’s time to review and remediate any of the vulnerabilities found during your scan. Using VS tools such as Scan will automatically give you a risk rating against each vulnerability, this rating gives you an indication of the severity of a vulnerability and allows you to prioritise fixing the issue.

As a best practice, it’s best of starting with your more “High-Risk” vulnerabilities first as these are going to have the most positive impact on your security.

Once you’ve cleared out all the high-risk vulnerabilities it’s best to move onto any easily exploitable medium-risk ones, I know that seems pretty obvious but the reason I make a point of it is hackers will follow this sequence also, checking to see if they hit the jackpot anywhere.

Also, note that you want to continually test to make sure the remediations are completed successfully. This can be done by running a quick scan after performing remediation to a system.

How Scan helps

Scan helps businesses identify vulnerabilities in their systems by performing an external scan of all your internet-facing assets. It finds and reports on vulnerabilities before they are exposed by the bad guys, allowing you to take action and remediate any issues.

It will identify any missing patches, security misconfigurations, default passwords, dangerous services or otherwise potentially harmful security vulnerabilities in the assets.

Users can get started instantly on our forever FREE tier, allowing you to scan up to 8 targets, once every quarter.

Share: