Are you scanning your network?

Scanning your network is one of the easiest things you can do to help keep your network safe. Recently I began to wonder if our vulnerability scanner is actually providing any value to us, since all reports looked essentially like this.

img-vuln-scan-good

But that all changed with the latest report I got, which suddenly looked like this.

img-vuln-scan-bad

Wow, so what happened? First of all, the report is a summary of all our networks vulnerability scans, so this includes production, testing, development and so on. Still though, that's a huge change in discovered vulnerabilities.

I analyzed the report and found out that the biggest chunk of security issues originated from one production host.

Vulnerable production host

  • 2 critical mail related vulnerabilities (false-positives)
  • 1 critical vulnerability (no patch available during scan time)
  • 8 Upgrades not installed (medium criticality)
  • 10 Upgrades not installed (high criticality)

Hosts from other networks (dev/test/etc)

  • 2 critical mail related vulnerabilities (false-positives)
  • 1 medium vulnerability (no patch available during scan time)
  • 1 critical vulnerability (temporary on a test system)
  • 1 Upgrade not installed (medium)

Let's first look at the vulnerabilities from the dev/test networks. I verified the two false positives and flagged them accordingly, no problem here. The medium vulnerability was patched as soon as a patch became available. This can happen from time to time and should be resolved by your patch management process automatically. One critical vulnerability was discovered on a new test system, which was scanned during setup and before configuration was done. This was already resolved by the time I received the report. Furthermore, one upgrade was available but not installed. This can happen if vulnerabilities are found in between patch cycles. With a daily patch routine, this should also pose no problem.

Now on to the interesting part, the production network. The two false positives where exactly the same as in the dev/test networks and easily resolved. The critical vulnerability that had no patch avaible during scan time was patched by me as soon as a patch was made available. But what about the 18 updates that haven't been installed?

As it turns out this was due to a human error, the one thing nothing can save you from. At some point the server was removed from the patch management process as a temporary measure. Unfortunately the temporary, as in "don't forget to enable it again when you're done" turned into more than temporary because that's exactly what happened. And that's exactly where our vulnerability scans helped us, by informing us that this server was missing the latest security patches.

Even if each of your reports only contains a small number of issues, or even if it's empty every single time it still provides three things that are worth running the scans regularly.

  1. Knowing the status of your networks security
  2. Receiving notification if anything changes
  3. Verifying that your patch management works

If you don't have regular vulnerability scans yet, you should follow these steps to avoid receiving tons of reports that are ultimately ignored.

  1. Install Vulnerability Scanner
  2. Scan Networks manually
  3. Resolv vulnerabilities
  4. Establish automated patch process (not for all updates, but for security patches)
  5. Setup regular vulnerability scans.

Setting up regular scans before a proper patch management process is established usually leads to scan reports being ignored due to the huge manual overhead it creates. If you require help with vulnerability scans or patch management, contact us.