Security Scanning 101

Printer Friendly Version

Network and system security scanning is the most practical way to find out what the vulnerabilities and threats are on your systems and networks. All reputable providers of this service and associated products offer a comprehensive report that describes the vulnerabilities detected, the level or risk associated with each vulnerability, and recommendations for corrective action. Examining security vulnerabilities is the first step to take in reducing site, system, and server liabilities. Here's a few things to know to help you understand what's involved.

Justification and Practical Matters
Keeping your intranet secure from cybercriminals should high on your list of priorities. No business or organization wants to lose data, or have the jewels of their corporate infrastructure destroyed by wily hackers. Also, if your business is a publicly traded company, it is particularly important to mitigate security risks to avoid liabilities with the Securities and Exchange Commission (SEC), since the SEC requires that all publicly traded companies disclose risks to shareholders.

Consulting companies that provide network and system scanning services typically refer to network and system scanning services as a Security Vulnerability Assessments. Alternatively some companies refer to this service as a Security Audit or an On-line Penetration Test.

The person responsible for keeping the systems and networks of a information technology infrastructure secure varies depending on the size of the company. This security of the corporate intranet might be the responsibility of the Chief Security Officer, the Chief Information Officer, the Director of Information Technology, or a Network Manager. Regardless of the title of the person held responsible, the process for conducting this risk mitigation process is the same.

Though most organizations recognize the need to keep their infrastructure secure, it's often the case that the person being held accountable for the security still needs to justify the cost of a full-blown security vulnerability assessment, particularly if the company has not had any security problems previously. The main purpose of a security vulnerability assessment is to provide your business with a useful report on the current security posture of your systems and networks for you to use as a guide to systematically correct the weaknesses that expose your information technology infrastructure. If you're not going to use the report to take mitigating action, there's little reason to go through the time consuming and expensive process of generating the report.

The various reasons for performing a security vulnerability assessment include the following:

• Generate a report with risks qualified along with supporting recommendations
• Enable corrective action
• Avoid litigation
• Reduce the risk of Denial of Service attacks
• Reduce site outages and performance problems
• Create secure and seamless information access
• Build customer loyalty
• Gain a competitive advantage
• Protect your revenue stream
• Reduce risk during mergers and acquisitions
• Test your Intrusion Detection System
• Qualify for Information Protection Insurance
• Understand what products you may need to buy for future infrastructure needs

Citing these reasons is often a good way to get your organization to allocate the funds necessary to include a security vulnerability assessment into the IT budget.

Understanding the Process
Some companies may choose to audit their own network, and as long as they have the resources to do this, this approach can work out well. The advantage of performing the security vulnerability assessment yourself is that you can then re-scan your systems and networks whenever you need to, for example, if new systems are installed, or when network configurations change. The disadvantage of performing the security vulnerability assessment in-house is that your customers or shareholders may say that the audit was not done objectively. Also, the skills and experience of in-house personnel may not be as high as those of a security scanning service provider.

In the event that you may need to report your findings to an outside entity -- for example in the event of litigation, customer contractual requirements, in an annual report, or a security or accounting investigation, a report generated by an outside consultancy may be considered to be a more trustworthy form of information. Similar to how an outside accounting audit is considered more objective, some information technology experts consider an outside security report to also be more objective. Your management team needs to decide which route is the best one to take for a security vulnerability assessment -- whether to outsource it or do it in-house.

Should your company decide to outsource the service to a consulting company, the consulting company should be able to provide you with a detailed Service Level Description (SLD) that explains their own process for conducting the scan. The more details that the SLD has in it, the more likely it is that the consulting company understands the process of how to effectively conduct this service. An SLD for this type of service is typically a minimum of ten pages long, and in many cases, two or three times as long as that. The SLD should give detailed information on what tools the consulting firm uses to conduct the scan, how and when the scan is done, and what vulnerabilities and threats are scanned for, and if the vulnerabilities and threats are listed by risk level in their report. The consulting company should also be able to provide you with a sample report. Consulting companies that provide this service typically have a scanning tool, or set of tools, already selected as a result of their own due diligence in researching best-practice scanning tools.