adam's notes

Special Considerations for Vulnerability Scanning

There are a few deployment issues to consider when configuring vulnerability scanners to work over a network.

Segmentation

  • most networks are divided into separate zones
    • represented by VLANs and IP subnets
  • when scanning across a segmented network, consider the requirements and limitations:
    • server-based scanner must be able to communicate with remote subnets
      • across multiple VLANs and firewalls
      • can use multiple scanning host nodes in multiple segments that report back to a central management server
    • agent-based scanner must be able to communicate reports back to management server

Performance Considerations

  • scanners can cause negative performance impacts on networks and hosts
  • to mitigate this,
    • schedule scans against well-defined computer groups at different times of the day
    • run during off hours such as nights or weekends
  • most scanning software has bandwidth throttling options to prevent scans from over-utilizing the network

Key Considerations

  • Identification of Operating System
    • identify the OS of target system to ensure the correct vulnerability scans are used and to identify unsupported or non-compliant OS versions
  • Scanning interval
    • scanning should be done regularly
    • use an automated schedule os specialized agents that support near real-time vulnerability identification
  • Scan speed
    • scan speed can affect the accuracy of results
    • if too slow or too fast can:
      • miss vulnerabilities
      • produce inaccurate results
      • overwhelm target system
  • Vulnerability database
    • accuracy of scan results depends on the quality of vulnerability database
    • use a comprehensive and up-to-date vulnerability database
  • Scanning type
    • port scans
    • vulnerability scans
    • comprehensive configuration scans
  • Authentication
    • authenticated scans are more comprehensive
      • identify vulns using authenticated sessions
      • have greater access to host and software
    • unauthenticated scans have less performance impact
      • produce more limited results
  • False positives
    • false positives represent invalid warnings generated by a scanner
    • can waste analyst time in researching and verifying

Vulnerability Scan Scheduling

  • essential to maintaining a secure environment
  • often required to maintain regulatory compliance
  • help ensure installed patches are effective and do not introduce new vulnerabilities
  • help identify misconfigurations and unauthorized changes

IDS, IPS, and Firewall Settings

  • essential to ensure that the vulnerability scanners can work with other security systems
  • agent-based scans will need to communicate with management server through firewalls using proper port ranges
  • agent-based scans may also be blocked by IDS/IPS
    • configure proper exclusions
  • may need to deploy additional scanner node in segmented networks to avoid issues
  • host-based firewalls may also cause problems
  • scanner may need access to URLs to download updates
    • ensure firewalls allow access

Data Sensitivity Levels

A data inventory describes the mechanisms used to identify and track the data assets created, controlled, or maintained by an organization.

  • aka data map
  • describes the data in terms of what it contains, its classification, and sensitivity
  • Having a clear view of data is the first step in protecting it

Graph View

Backlinks