This section covers the following topics:
What data is regulated that your organisation collects and processes?
What is a vulnerability scan and why is it important?
What is the output of a vulnerability scan, and why does it matter?
How can your organisation's operating location perform a technical vulnerability scan?
How often must technical vulnerability scans be performed?
When you collect and process regulated personal information from employees, customers, and others, there is a legal obligation to understand your responsibilities, with director liability for failure to do so. It is recommended that you read this page in its entirety and understand your obligations; extremely steep fines will be facing your organisation if there’s a data breach and you failed to demonstrate due care and due diligence.
Part 1: What Data is Regulated that Businesses Collect and Process?
Businesses around the world collect and process all kinds of information about individuals, including personal data regarding prospective customers, active customers, past customers, employees, and contractors. Information can come in various forms, such as:
submitted employment applications,
health insurance information,
identity data such as passport numbers,
gender and sexual orientation,
criminal record disclosure; and
Because this information would be highly damaging to the data subject if it was unlawfully disclosed (i.e. found through a Google search due to theft or other type of data breach), this data is regulated by governments around the world, and required to be protected. For instance, to quote a European law, organisations are required to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…” (Article 32 of the EU’s GDPR). Other regulations around the world require similar measures. But what does this mean and how is it done?
What is a Vulnerability Scan?
Scanning an organisation’s web portals, Internet firewalls and even its infrastructure (i.e., servers, if relevant) for hidden security “holes” or “gaps” is a foundational practice. This is a cybersecurity function termed technical vulnerability scanning. Scanning for technical vulnerabilities is important for many reasons:
It uncovers hidden security holes that could be exploited by threats such as malware or hackers, resulting in a data breach;
It reveals patches that have not been applied to firmware, operating systems and applications;
It discovers insecure protocols in operation such as SNMPv1, SSLv3 or TLSv1.0, telnet, http vs https, and others;
It satisfies a legal requirement in many parts of the world to demonstrate “sufficient guarantees to implement appropriate technical and organisation measures” of data protection (Article 28, the GDPR);
It generates a list of remedial actions to address to tighten security and safeguard information entrusted to your organisation; and
It demonstrates due care; and, when paired with correction action, it demonstrates due diligence.
Some regulations, such as those throughout the European Union, impose director liability to ensure organisations exercise due care and due diligence to protect the confidentiality of information. In essence, should a data breach occur, your organisation’s senior management can be held legally and financially liable for your failure to understand the regulatory landscape, ensure approach technical measures were implemented, and technical vulnerability scanning was performed to measure the effectiveness of the safeguard’s employed. In the European Union, fines of 20 million euros can be levied, an outcome the authors of this website aim to avoid.
Part 2: What is the Output of a Vulnerability Scan,
and Why Does It Matter?
Whilst the immense growth of the Internet has enriched the world’s 4.1 billion collaborators (Statista 2018), including businesses like yours from all around the world, it has also become a theatre of peril for the ill-prepared. Countless Internet villains await to pilfer their victims, and data breaches do real damage; they can result in financial loss, reputation damage, emotional distress, physical injury, and entangled litigation.
Hackers & netbots never stop hunting for weakness to exploit, scanning your websites, attempting to login to your systems, attempting to find backdoors, attempting to create an error that pries open a trap door to permit rogue code to infect your systems undetected.
Performing a vulnerability scan is a safe way to uncover and detect system weakness so that issues may be identified, catalogued by type, and scored in terms of severity.
The outcome of this activity produces a specific, actionable list of remedial tasks, such as disabling ports, replacing insecure protocols with secure protocols, applying a missing software patch, and other remedial steps that a technical person can perform.
Below is an example from an average report Allendevaux & Company performs for organisations on a regular basis. The example issues identified below are associated with hosts inside of this example network, noting the IP address and description of each device, the vulnerability found, the ports affected, and the severity level.
Vulnerability Results Example A
Vulnerability Results Example B
Here's another look at a finding from a website scan. In this example below, we'll look at a fictitious university web portal (based on some real findings we did in a real engagement). Here we see a reflected cross-site scripting (XSS) vulnerability was found within the organisation's website. When this vulnerability is exploited, a rogue hacker can reflect all the information someone types into the university portal. For instance, if someone fills out an application for a class, provides sensitive data, provides credentials or any other data into the portal, it can be reflected elsewhere in the Internet to capture all the text without the knowledge of the user or the university.
If you would like to look at a larger example report, just let us know in the contact area of this website.
Three Vectors of Vulnerability Scanning
Internet Facing Perimeter Devices
Things such as routers, firewalls, etc. that have public IP addresses or direct IP-to-IP routing from a public address to an internal address.
Internet Hosts Across All Subnets
This includes servers, workstations, switches, wireless access points, printers, IoT devices, IP cameras, and anything else that has an IP address.
The final output of a comprehensive scan results in a report that provides overall findings and actionable recommendations. This report is usually an executive summary where a comprehensive, independent auditor’s report is generated to the organisation, usually addressed to the highest levels of leadership per regulatory requirements.
Part 3: How Can My Business Perform a Technical Vulnerability Scan?
This is a question that’s commonly asked, and usually the advice given is this: don’t try this yourself. Technical staff at your business might try to convince management that they can download a free scanner, initiate a scan, and produce a report. But the report won’t be trustworthy; in fact, it will give false confidence. Most regulations require strict guidelines of competency and experience, requiring cybersecurity activities to be overseen by certified practitioners.
Seek the assistance of a certified cybersecurity firm; yes, it will require funding to do, but this is not an area in which to skimp. Send an email to email@example.com for help.
If your business or organisation wants the service of Allendevaux & Company, we can help; we approach cybersecurity activities in conformance with ISO/IEC 27032 international best practices. The highlights of the process are as follows:
Initiate communication by sending an email to firstname.lastname@example.org, stating your business/organisation name, and a contact person with whom we can work.
Setup a discussion via phone, Zoom, Pexip, Starleaf, or another compatible way of communication; face-to-face video conversations are best, where screen sharing is permitted.
Generate an inventory of websites used by your business. For instance, when recently working with a university, just one of their campuses had 10 different web domains with hosted websites.
Generate an inventory of Internet-facing devices, such as firewalls or routers.
Determine if an internal scan will be conducted; if so, generate an IP list, or discuss setting up a discovery scan by network.
Choose the scan date/time.
Conduct the scan.
Generate the report.
Review the report with key stakeholders.
Activities will be performed by a team of professionals and overseen by an accredited ISO/ANSI and/or IBITGQ certified professional. As noted above, the output of these activities result in a proper report with actionable recommendations.
Part 4: How Often Must Technical Vulnerability Scans be Performed?
At the very minimum, scanning should be performed annually. Without regular vulnerability scanning, scoring and incident mitigation, exploits cannot be mitigated, resulting in an increased risk of attack.
Gartner Group recommends an enterprise establish and practice a monthly model to discover and remediate vulnerabilities that would otherwise accumulate (Chuvakin & Barros, 2015). Qualys recommends an enterprise establish a systematic model to regularly scan its information assets (Qualys, 2016). The Centre for Internet Security as reported by Tripwire recommends monthly scanning as a minimum baseline (Khimji, 2016).
The reason professionals push for frequent scanning is this: When a vulnerability is first released, it may have a lower vulnerability score (i.e. SEV2 or SEV3) because there is no known exploit. But as time passes, exploits often become available and the severity increases further underscoring the need for regularly vulnerability management.
Ultimately, the decision as to the frequency of performing a scan is up to each organisation, a function of risk appetite and affordability. Set your schedule and document your decision in terms of your technical vulnerability management policy.
Terms and Conditions
To define and clarify terms and definitions, technical vulnerability management--according to the SANS Institute--is defined as follows:
The process in which vulnerabilities in IT are identified and the risk of these vulnerabilities are evaluated and acted upon. The process normally leads to correcting the vulnerabilities found by removing the risk or by formally accepting the risk. The term vulnerability management is often confused with vulnerability scanning. Despite the fact both are related, there is an important difference between the two. Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Vulnerability management is the process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation, etc. (Palmaers, 2013)
A Brief Recap Before You Leave
Vulnerability scans safely highlight any hidden holes or gaps where sensitive data from a data subject could be exposed.
If those holes are ever discovered by an outsider, then a data breach has occurred. If a breach takes place then your senior management is liable legally and financially.
The goal after running a vulnerability scan is to go through the findings report and act on any remedial tasks.
There are different vectors of vulnerability scanning; ie web portals, firewalls, servers, IoT devices, etc.
You shouldn't perform a vulnerability scan yourself. It's crucial to have this performed by a competent and certified team.
Scans should be regular and at a minimum, annual.