Vulnerability Guidance

Getting started with Vulnerability Guidance

Dear enterprise community, in this section, we will answer the following questions:

  • What data is regulated that your organisation collects and processes?

  • What is a vulnerability scan and why is it important?

  • What is the output of a vulnerability scan, and why does it matter?

  • How can your organisation's operating location perform a technical vulnerability scan?

  • How often must technical vulnerability scans be performed?

When you collect and process regulated personal information from employees, customers, and others, there is a legal obligation to understand your responsibilities, with director liability for failure to do so. It is recommended that you read this page in its entirety and understand your obligations; extremely steep fines will be facing your organisation if there’s a data breach and you failed to demonstrate due care and due diligence.

Part 1: What Data is Regulated that Businesses Collect and Process?

Businesses around the world collect and process all kinds of information about individuals, including personal data regarding prospective customers, active customers, past customers, employees, and contractors. Information can come in various forms, such as:

  • submitted employment applications,

  • performance reports,

  • financial information,

  • health insurance information,

  • identity data such as passport numbers,

  • gender and sexual orientation,

  • criminal record disclosure; and

  • much more.

Worldwide Regulations

Because this information would be highly damaging to the data subject if it was unlawfully disclosed (i.e. found through a Google search due to theft or other type of data breach), this data is regulated by governments around the world, and required to be protected.  For instance, to quote a European law, organisations are required to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…” (Article 32 of the EU’s GDPR). Other regulations around the world require similar measures. But what does this mean and how is it done?

What is a Vulnerability Scan?

Scanning an organisation’s web portals, Internet firewalls and even its infrastructure (i.e., servers, if relevant) for hidden security “holes” or “gaps” is a foundational practice. This is a cybersecurity function termed technical vulnerability scanning. Scanning for technical vulnerabilities is important for many reasons:

It uncovers hidden security holes that could be exploited by threats such as malware or hackers, resulting in a data breach;

It reveals patches that have not been applied to firmware, operating systems and applications;

It discovers insecure protocols in operation such as SNMPv1, SSLv3 or TLSv1.0, telnet, http vs https, and others;

It satisfies a legal requirement in many parts of the world to demonstrate “sufficient guarantees to implement appropriate technical and organisation measures” of data protection (Article 28, the GDPR);

It generates a list of remedial actions to address to tighten security and safeguard information entrusted to your organisation; and

It demonstrates due care; and, when paired with correction action, it demonstrates due diligence.

Some regulations, such as those throughout the European Union, impose director liability to ensure organisations exercise due care and due diligence to protect the confidentiality of information. In essence, should a data breach occur, your organisation’s senior management can be held legally and financially liable for your failure to understand the regulatory landscape, ensure approach technical measures were implemented, and technical vulnerability scanning was performed to measure the effectiveness of the safeguard’s employed. In the European Union, fines of 20 million euros can be levied, an outcome the authors of this website aim to avoid.

Assessing and Addressing Vulnerabilities

Part 2: What is the Output of a Vulnerability Scan,

and Why Does It Matter?

Whilst the immense growth of the Internet has enriched the world’s 4.1 billion collaborators (Statista 2018), including businesses like yours from all around the world, it has also become a theatre of peril for the ill-prepared. Countless Internet villains await to pilfer their victims, and data breaches do real damage; they can result in financial loss, reputation damage, emotional distress, physical injury, and entangled litigation.

 

Hackers & netbots never stop hunting for weakness to exploit, scanning your websites, attempting to login to your systems, attempting to find backdoors, attempting to create an error that pries open a trap door to permit rogue code to infect your systems undetected.

 

Performing a vulnerability scan is a safe way to uncover and detect system weakness so that issues may be identified, catalogued by type, and scored in terms of severity.

The outcome of this activity produces a specific, actionable list of remedial tasks, such as disabling ports, replacing insecure protocols with secure protocols, applying a missing software patch, and other remedial steps that a technical person can perform.

Below is an example from an average report Allendevaux & Company performs for organizations on a regular basis. The example issues identified below are associated with hosts inside of this example network, noting the IP address and description of each device, the vulnerability found, the ports affected, and the severity level.

Vulnerability Results Example

Vulnerability Results Example

Here's another look at a finding from a website scan. In this example below, we'll look at a fictitious university web portal (based on some real findings we did in a real engagement). Here we see a reflected cross-site scripting (XSS) vulnerability was found within the organization's website. When this vulnerability is exploited, a rogue hacker can reflect all the information someone types into the university portal. For instance, if someone fills out an application for a class, provides sensitive data, provides credentials or any other data into the portal, it can be reflected elsewhere in the Internet to capture all the text without the knowledge of the user or the university.

 

If you would like to look at a larger example report, just let us know in the contact area of this website.

Three Vectors of Vulnerability Scanning

Things such as routers, firewalls, etc. that have public IP addresses or direct IP-to-IP routing from a public address to an internal address

Web Portals

It’s not uncommon to have many web portals for larger organisations

This includes servers, workstations, switches, wireless access points, printers, IoT devices, IP cameras, and anything else that has an IP address

Internet Facing

Perimeter Devices

Internet Hosts

Across All Subnets

The final output of a comprehensive scan results in a report that provides overall findings and actionable recommendations. Below is an example executive summary where a comprehensive, independent auditor’s report is generated to the organisation, usually addressed to the highest levels of leadership per regulatory requirements.

Part 3: How Can My Business Perform a Technical Vulnerability Scan?

This is a question that’s commonly asked, and usually the advice given is this: don’t try this yourself. Technical staff at your business might try to convince management that they can download a free scanner, initiate a scan, and produce a report. But the report won’t be trustworthy; in fact, it will give false confidence. Most regulations require strict guidelines of competency and experience, requiring cybersecurity activities to be overseen by certified practitioners.

 

Seek the assistance of a certified cybersecurity firm; yes, it will require funding to do, but this is not an area in which to skimp. Send an email to infosec@allendevaux.com for help.

Getting Professional Help

If your business or organization wants the service of Allendevaux & Company, we can help;

we approach cybersecurity activities in conformance with ISO/IEC 27032 international best practices. The highlights of the process are as follows:

  1. Initiate communication by sending an email to infosec@allendevaux.com, stating your business/organization name, and a contact person with whom we can work.

  2. Setup a discussion via phone, Skype, Zoom, BlueJeans, or another compatible way of communication; face-to-face video conversations are best, where screensharing is permitted.

  3. Generate an inventory of websites used by your business. For instance, when recently working with a university, just one of their campuses had 10 different web domains with hosted websites.

  4. Generate an inventory of Internet-facing devices, such as firewalls or routers.

  5. Determine if an internal scan will be conducted; if so, generate an IP list, or discuss setting up a discovery scan by network.

  6. Choose the scan date/time.

  7. Conduct the scan.

  8. Generate the report.

  9. Review the report with key stakeholders.

Activities will be performed by a team of professionals and overseen by an accredited ISO/ANSI and/or IBITGQ certified professional. As noted above, the output of these activities result in a proper report with actionable recommendations.

Part 4: How Often Must Technical Vulnerability Scans be Performed?

At the very minimum, scanning should be performed annually. Without regular vulnerability scanning, scoring and incident mitigation, exploits cannot be mitigated, resulting in an increased risk of attack.

Gartner Group recommends an enterprise establish and practice a monthly model to discover and remediate vulnerabilities that would otherwise accumulate (Chuvakin & Barros, 2015). Qualys recommends an enterprise establish a systematic model to regularly scan its information assets (Qualys, 2016). The Centre for Internet Security as reported by Tripwire recommends monthly scanning as a minimum baseline (Khimji, 2016).

The reason professionals push for frequent scanning is this: When a vulnerability is first released, it may have a lower vulnerability score (i.e. SEV2 or SEV3) because there is no known exploit. But as time passes, exploits often become available and the severity increases further underscoring the need for regularly vulnerability management.

 

Ultimately, the decision as to the frequency of performing a scan is up to each organisation, a function of risk appetite and affordability. Set your schedule and document your decision in terms of your technical vulnerability management policy.

Terms and Conditions

To define and clarify terms and definitions, technical vulnerability management--according to the SANS Institute--is defined as follows:

The process in which vulnerabilities in IT are identified and the risk of these vulnerabilities are evaluated and acted upon. The process normally leads to correcting the vulnerabilities found by removing the risk or by formally accepting the risk. The term vulnerability management is often confused with vulnerability scanning. Despite the fact both are related, there is an important difference between the two. Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Vulnerability management is the process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation, etc. (Palmaers, 2013)

Bibliography

Chuvakin, A., & Barros, A. (2015, November 17). How to Implement Enterprise Vulnerability Assessment.


 

Khimji, I. (2016, January 10). Vulnerability Management Program Best Practices -- Part 1. Tripwire.


Palmaers, T. (2013, March 23). Implementing a Vulnerability Management Process. (D. Distler, Ed.) SANS


Qualys. (2016, February 4). Best Practices for Scanning. Qualys Community. Retrieved February 1, 2017,

Statista. (2018, October 1). Global digital population as of October 2018. Retrieved January 4, 2019, from

Gartner. Retrieved February 1, 2017, from https://www.gartner.com/doc/3169219

Join our community discussion!

Getting Further Help

If you need guidance understanding the information above, contact the Allendevaux & Company Service Desk. You will be assigned to a certified privacy professional accredited by ISO, IBITGQ or the IAPP with experience in privacy law and compliance. You’ll also find contact information at the bottom of this page for telephone, and email.

Contact Us

We need your consent to receive your information and contact you. By pressing the 'Send' button below, you are providing that consent. You have the right to withdraw your consent at any time. To withdraw your consent, please email us here. For more information about what we do with your personal data and how we protect it, see our privacy notice.

Get Connected

US East: +1 513 401 7107

US West: +1 213 279 1055

​UK: +44 2038 802 321

CH: +41 44 585 91 15

35 Rockridge, Englewood OH 45322

  • Grey LinkedIn Icon
  • Grey Facebook Icon

Copyright (c) 2019 by Allendevaux & Company LLC.  

All rights reserved.