Best Practices for Network Vulnerability Scanning

By | March 20, 2012

You know that vulnerability scanning is an important part of your network security process, but you’re not really sure where to begin. Been there, done that, and know exactly how you feel. The idea of scanning your network can seem daunting, and then, what do you do with all the results? In this article we’ll talk about some best practices for vulnerability scanning that should help you with this security task and to get the most out of your vulnerability scanner.

First, pick a weekend and let the scanner run over the entire weekend to see what it can discover. Almost all vulnerability scanners can perform an autodiscover process that can include subnet scanning as well as querying your Active Directory for domain members. Letting it run gives it plenty of time to discover every server that is on your network, without generating traffic at a time when users are trying to complete work.

Then, divide your network up into manageable chunks. Trying to work your way through the entire network when it’s even modestly sized can be overwhelming. You can start with your critical Internet servers, or your domain controllers, or your workstations. Look at the built-in categories that your vulnerability scanning app comes with, and move autodiscovered servers into the right categories. When a server runs more than one role, I like to categorize it based on the most critical role. We’ll use these groups in a later step.

Now, sort all of your systems from the most to least critical, and start your remediation efforts on the most critical. They are rated that way because they either have the most critical vulnerability, or the most vulnerabilities; but whichever the case, they are at the greatest risk and should be tended to immediately. Apply all required patches, harden all needed services and disable those that are not needed, and you have just taken care of the most important issues, or what we sometimes call the low hanging fruit. Repeat the process on each lower tier of at risk servers until you have taken care of all the worst problems.

Now, run your scan again. Compare the results. You might find some new vulnerabilities, either because new ones have come out or one missing patch masked another issue. Get all your systems up-to-date so that you can scan reasonably clean. Now comes the fun part.

Remember you sorted your systems into categories? Schedule scans so that you are vulnerability scanning a different group each night. Save the results, and compare them to the previous scan to track deltas, and identify new issues as they come up. Automating these scans, and “diffing” them, will become your early warning system as new vulnerabilities are discovered. Over the weekend, run a full discovery of all your subnets so you can pick up new systems that are added to the network. Sort them into the appropriate groups on Monday morning.

During that first week with your new scanner, and at least once a month thereafter, run your vulnerability scanning against your DMZ and any hosted servers you have to see what is out there and accessible from the Internet. This will give you the same view into your network that external attackers have, and will help you to identify and remediate any issues.

Finally, at least once a month run your scanner during the normal business day against your workstations and make sure you don’t forget VPN connected systems. Your end users’ machines can be some of your riskiest, especially those that travel outside your corporate firewall’s protection. Scanning can generate a lot of traffic though, so pick times other than the end of the month, or other key time periods for your company’s business.

Regular scanning and reviews of the results are the keys to the successful use of vulnerability scanner. Keeping your vulnerability scanner up-to-date, and acting promptly on any results it reports, will keep the opportunities for attackers to compromise your systems to a minimum.

This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging need. Learn more on what to look out for when choosing a vulnerability scanner.

All product and company names herein may be trademarks of their respective owners.