To understand how often vulnerability scanning should be performed, it’s important to delve into the drivers behind this objective. Vulnerability management includes the treatment of risks identified during the vulnerability assessments. This is a vital element of the risk management regime for any organisation. Without making informed choices around risk appetite, an organisation may not get the best out of a vulnerability management programme.
If you reckon we are missing the basics that should be discussed here, get your head around we have covered vulnerability scanning in great detail here:
What is the most important step to be taken before you begin any vulnerability scanning?
Qualified staff perform, configure and analyse a vulnerability scan. This is most important. Knowing the system being scanned will also increase efficiency and reduce worries of misconfiguration.
How often do you conduct vulnerability scanning of your network perimeter?
Industry experts recommend conducting vulnerability scanning on your network perimeter at least annually. This will help you identify any vulnerabilities in the system so they can be fixed before an attacker exploits them to get access to data, or even worse, change the content of a website or database.
The answer to ‘how often should you perform‘ would assess your risk level and the type of data you have on your systems and networks. It will then be determined what the best scanning frequency for your business should be.
But how often is too much? Some businesses exceed this, scanning their perimeter every few weeks or even daily. The experts recommend a balance between frequency and thoroughness of your vulnerability scans to maintain the health of an organisation’s network.
Frequency of vulnerability scanning
It is essential to understand the drivers behind this objective to make an informed choice. Here are the following best practices to consider when deciding on the frequency of vulnerability scanning.
Compliance scanning
In the past, even to date – some of the compliance requirements are considered a tick in the box approach. If done at ground level, compliance requirements (PCI DSS) are often a great business case to build a security-aware culture within the business.
How often should vulnerability assessments be performed?
Based on the compliance requirements such as PCI DSS tests, ISO 27001, audits, the frequency of scans is often quarterly or based on specific needs. These frequencies mainly vary between quarterly scans and annual penetration tests.
One word of caution to businesses living by compliance standards where regulatory or compliance requirements are the main objective is the threat exposure window. Specific vulnerabilities are exploited well within a 90 days window, meaning assets remain exposed to cyber attacks before the following vulnerability scan. Therefore, monthly basis vulnerability scans are recommended in such scenarios. Additionally, incremental scans should be conducted when changes take place in the infrastructure or code.
Vulnerability scanning frequency best practices by NIST answer this based on a frequency depending upon the risk, but no less than annually. You can see technical guide to security testing and assessments here.
Due to modern world setup consisting of APIs, web applications with frequent updates and the speed of vulnerabilities, quarterly vulnerability scanning is often advised as a best security practice. This is often easily observed in quotes/estimations based on a quarterly frequency. Online retailers that process high volume transactions carry out this exercise every week or so to stay updated with their constantly changing attack surface.
Changes (either code or infrastructure)
Code or infrastructure changes in modern technology environments are crazy fast, mainly due to functional requirements and the pressures on businesses to match and reach customers tastes. These changes are multi-dimensional and bring along configurational changes that may lead to the introduction of security weaknesses. These vulnerabilities in code or infrastructure or both could stay for longer if not checked in time.
Therefore, it is the security team’s responsibility to ensure there is a minimal window between vulnerability and exploitation by a threat actor. Vulnerability identification, triage, and remediation are significant factors in delivering the balance of technology and security to the business. In this case, vulnerability scanning is performed on a weekly, on-demand or fortnightly basis.
Proactive approach
Organisations with mature cyber security processes prefer a proactive approach to a reactive approach. Security researchers are discovering new vulnerabilities every other week in addition to data breaches and attacks in the news. It makes staying on top of the latest threats to your assets before attackers. In these cases, vulnerability scanning is performed monthly or after changes to code or infrastructure.
Threat based
Unfortunately, despite the vulnerability management process in place, situations arise where gaps are present due to the latest exploits in the wild. This type of threat often remains out of the scope of vulnerability scanners as no scanning plugins are available for zero days. Vulnerabilities that are exploited in the wild before a patch is released offer an increased likelihood of attacks. It is essential that vulnerability scanning offers support by scanning vulnerabilities and helping customers with compensatory controls or virtual patches.
Network Vulnerability Assessments
How do you scan a vulnerability?
To perform a vulnerability assessment, an organisation must start with the identification and classification of assets. Identification of assets is essential and is often based on several factors: operating system, addresses (IP addresses, MAC addresses, inventory trackers), etc. Classification of assets includes the criticality or risk appetite of each asset offering value to the business.
By defining risk appetite, cyber security teams can strategically plan vulnerability management program to ensure ongoing efforts are planned based on resources utilisation and relevant efforts. For instance, internet-facing systems, internal servers, endpoints all have different risk appetite and importance to the business. This input is the deciding factor to confirm which type of vulnerability scans will benefit the scope.
It is essential to ensure tool-sets in use are configured in line with the target environment. This includes bandwidth utilisation, target device types, reporting and vulnerability scanning configuration. High-performance scanners contain many options to ensure thorough scanning resulting in fewer false positives.
What are the types of vulnerability scans?
There are three types of vulnerability scans. These are internal scans, external scans and host scans. Internal scans are aimed at identifying vulnerabilities within an internal network within an organisation. External scans target the internet-facing infrastructure, and host scans include vulnerability assessments of hosts such as web servers, databases, etc.
Analysis of vulnerability scanning results is a significant step in ensuring relevant risk ratings are calculated. Treatment of risk is often down to the risk management plan of an organisation. Based on the fixes applied, revalidation of fixes is performed to ensure all mitigated vulnerabilities do not offer any risks.
Conclusion
Based on the best practices, the most common formats of vulnerability scanning are weekly, monthly and quarterly. Latest managed services offerings include vulnerability scanning, including an annual penetration testing exercise to ensure a comprehensive view of threats to the target assets. Just like networks and technologies are expanding, security vulnerabilities keep increasing, and ongoing vigil is needed to protect systems, applications, users and other assets.
Timely identification of threats acts as a catalyst to the threat analysis and risk treatment phases, followed by the verification phase. This is an ongoing exercise that keeps providing a continuous picture of gaps in your environment.
Cyber security service providers such as Cyphere add a human edge in skill-set, analysis, and false-positive removal that are otherwise unavailable to internal security teams. This also ensures that internal security teams can focus on other efforts by outsourcing this task with minimal costs and maximising their efficiency. Not to mention, this is a helpful service to assist your proactive security efforts including but not limited to just compliance (PCI DSS) standards.
The more proactive you are, the safer your business will, the more customer trust and brand royalty will add to your business growth. Get in touch to discuss any cyber security concerns or vulnerability scanning requirements.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.
