Vulnerability Assessment Best Practices
This video covers how asset discovery and scoping your assets is a critical part of vulnerability assessment. It discusses active and passive scanning, and the context vulnerability assessment provides you in security incident response.
Video Transcript
Let’s examine some best practices for Vulnerability Assessment:
Finding, fixing vulnerabilities is a constant battle for IT. You need not only vulnerability scanning of your network, but you also need details about vulnerabilities like if a patch is available and if an exploit exists.
The first step is to Understand your network before scanning. Vulnerability Assessment starts with Asset Discovery, which helps you tune your vulnerability scans. You can define your vulnerability scans to specific network segments and assets of interest, such as in-scope assets for PCI DSS compliance.
Ideally, you should have traditional active network scanning, where your vulnerability assessment tool probes hosts to elicit a response to identify the specific services running on a system and versions of software and patches, to then use that information to collect data and compare it to the database of known vulnerabilities. In addition, continuous, or passive vulnerability monitoring layered on top of that active scanning is useful – it correlates the data gathered by asset discovery scans with known vulnerability information.
Vulnerability Management never “ends” – because your network is always changing, you need to schedule vulnerability scans on a consistent basis. You should also be able to run scans as required on an ad-hoc basis, such as after the disclosure of a new exploit targeting an application or OS that you’re running.
Vulnerability information adds context for security incident response. As a security incident occurs, you need to be able to run vulnerability scans on-the-fly to help determine if you are vulnerable for exploits occurring.
You should be able to do unauthenticated scanning, where no host credentials are required, as well as authenticated scanning to perform more accurate and comprehensive vulnerability detection by inspecting installed software and its configuration.
You need to prioritize remediation of vulnerabilities you find. All of your assets are not equal – some are more business critical. In addition, the vulnerabilities you find are not equal – some exploits that utilize those vulnerabilities have a much higher impact in terms of destructive capabilities.
Having a view to external threat information, such as information on known malicious IPs, is helpful in helping you focus on which vulnerable assets to remediate first by identifying any known malicious hosts targeting your network.