Vulnerability Scanning for Business
Vulnerability Scanning for Business Amer Deeba came to Qualys from VeriSign, where he was the General Manager for the Payment Services Division, and helped establish VeriSign as a leader in the online payments space - where 40% of all credit card transaction were processed by VeriSign across the Internet. We caught up with him online.IT Security: What is vulnerability scanning, and what service does it provide to an organization? What does a vulnerability scan look for?Amer Deeba: Vulnerability scanning checks systems for weaknesses in an application, computer or network. This is of benefit to organizations because it enables them to identify risks before they can be exploited by viruses, trojans and other attacks or exploits.A network scanner will first look for active IP addresses, open ports, operating systems and any applications running throughout the network. Once the network is mapped and assets are identified, the scanner will try to determine the patch level of the OS or applications and also checks for any known vulnerabilities.IT Security: How aware are organizations of the need for vulnerability scanning? If they are aware, do they generally understand the extent of the problems that scanning is trying to address?Amer Deeba: In various analyst surveys, the awareness level and use of vulnerability scanning is approximately 75% or more. However, many organizations do not have a regular process in place and are using outdated tools to do this work – making it a manual process and one that is not as accurate as it should be.The good news in all of this is that regulations (e.g. HIPAA, SOX, GLBA, PCI, etc.) have now elevated IT security and include vulnerability scanning as part of the best-practices process. Therefore, organizations are putting in place much more effective and cost-efficient solutions to manage their security risks.IT Security: Is vulnerability scanning of equal concern to every business? Should a small business of just a few employees be as concerned about using vulnerability scanning as a large enterprise? Is there any level at which the ROI does not make sense?Amer Deeba: If your business has a network, you need to regularly scan it for vulnerabilities and eliminate these risks before they can be exploited. Without exception, it is absolutely critical for large businesses.For large or small businesses, not knowing what is on your network – or who is connected – and not knowing what risks exists is irresponsible. As a component of the vulnerability management process, vulnerability scanning enables you to measure and verify your security so it can be managed properly.Very small organizations typically do not have the staffing to do daily or weekly audits, but they still need to have a program in place to check and fix issues before they become a problem. Systems like QualysGuard are delivered on-demand (software as a service) and have simplified the process and made it cost effective for even the smallest organizations. Alternatively, smaller organizations could utilize the services of outside consultants to perform this type of service on a regularly scheduled basis.IT Security: How many types of vulnerability scanning tools are there? Is there such a thing as one tool or device that can be used to scan for every vulnerability, or do tools have to be specific to the job they are required to do?Amer Deeba: There are a variety of vulnerability scanning tools out there. The difference in these tools amounts to what they are able to do, their accuracy and reliability, ease of use, reporting and scalability.Low-end tools have evolved very little in the past 10-15 years and can typically just scan the network. They have limited capabilities to discover rogue assets, prioritize assets, provide remediation suggestions or verification of fixes, and they have very limited reporting capabilities. Most importantly, the results are often riddled with false-positives and false-negatives. False-positives create problems because the scanner identifies something as a problem and when it is investigated by the person doing remediation, it turns out that the problem is non-existent – hence, a false-positive. A false-negative is when the scanner fails to report issues that exist – which can be devastating as it lulls an organization into a false sense of security.A scanner should have the highest level of accuracy in its vulnerability scanning capability and utilize the most comprehensive vulnerability Knowledgebase in performing these audits. This eliminates the need to use multiple inaccurate tools in an attempt to get good results. As indicated, many first and second generation scanning tools are inaccurate and IT security folks would use several different ones in an attempt to improve results and the thoroughness of the scans. Many of these tools were reliant on the same database of existing vulnerability checks so it was often a frustrating exercise of futility,IT Security: What’s the difference between active and passive vulnerability scanning? When is one preferred to the other? Are there any situations when either one cannot be used?Amer Deeba: Active vulnerability scanning checks systems for the presence of vulnerabilities by interrogating the system by sending traffic to it and seeing how it responds, and then makes a decision based on the result that comes back. Typically, a vulnerable system will behave in a different manner than a properly patched system. Conversely, a passive vulnerability checking decision process depends merely on checking the operating system level or version number to decide if a specific system or application is vulnerable based on information from public advisories. Active scanning is the preferred mode of operation as it leads to the least number of false-positives and produces definitive results.IT Security: What’s the difference between software-based scanners and hardware devices? Do they both do the same thing, or are they used in different situations? When, if at all, is one preferred over the other?Amer Deeba: Results from software-based or hardware-based scanners are very similar. However one might argue that hardware-based scanners are slightly easier to install and manage as the “one-box” approach is usually self maintained and up-to-date with the most recent check. The easiest methodology is the software as a service approach which eliminates the need to manage, maintain, and secure the software. In this model, internal scanning is achieved by a simple to install hardware device that connects automatically so you can run your entire vulnerability scanning and management process from a single web console – from anywhere in the world – with complete confidence and security.IT Security: Are vulnerability scanning tools “plug-and-play”, or do they require a level of interaction with a user? What level of technical skill must a user have to set up and deploy vulnerability scanners? Do the results of vulnerability scans require a certain level of interpretation?Amer Deeba: Most software-based tools are not “plug-and-play” and require a great deal of technical resources and care to be setup, secured, and maintained properly. Then, the scanning results need to be secured and protected.Interpreting scan results should be easy. If the information is not accurate and clearly presented, it is useless. As mentioned, simple scanning tools often lack the ability to produce reports that can actually be used to measure and improve security. Reporting should be a core function so that IT and non-IT folks can benefit from the results – thus measuring and improving their security and meeting necessary compliance requirements.IT Security: Are vulnerability scanners standalone tools, or do they work best in conjunction with other security tools and appliances? Where in an organization’s security scheme do vulnerability scanners stand? Are they the basis for applying other security systems, for example, or are they used to check the effectiveness of those systems?Amer Deeba: Best of breed vulnerability scanners function standalone. However, most organizations integrate the results of the scanners with other best of breed security solutions and tools like Security Information Managements systems, HelpDesk systems, Patch Management tools, etc to use the intelligence collected from the network via the scanner to either drive these solutions or make their analysis more comprehensive and effective.IT Security: Are all the vulnerabilities that scanning tools find of equal concern? How do users choose between the not-so-important ones, and the absolutely-must-fix kind? Is that something the tools can also do for them?Amer Deeba: Scanning solutions needs to prioritize the vulnerabilities identified on the network based on their level of exploitation and severity. For example QualysGuard rates vulnerabilities at 5 severity levels with 5 being the most critical. This helps users prioritize their work and focus on the most critical issues first. Additionally, it lets users prioritize their assets. Therefore, a company can focus attention to critical business units and segment remediation efforts accordingly.IT Security: What are the best-of-breed features that a buyer should consider when weighing what tools to buy?Amer Deeba: Ease of deployment and use, accuracy and comprehensiveness of scans, rich reporting features, workflows for remediation and ease of integration with third party solution.Vulnerability scanning is now a mature industry and it has transitioned beyond just scanning into vulnerability risk management and policy compliance. Global organizations are looking to deploy it in order to effectively manage their network security, ensure remediation is occurring in a timely manner, and document compliance. There are a number of mature solutions and options in the market that customers can consider to best address their needs.