Pub. 7 2018 Issue 6

operating systems, open network ports, services listening on open ports and data leaked by services. Unauthenticated scans provide insight into what an intruder without credentials could see. While this is a valuable perspective, it does not identify every weakness or vulnerability. Additionally, many ports and services do not like this interrogation process (by design) and will simply refuse to respond to the scanners’ queries. An authenticated scan eliminates the need to probe. The vulnerability scanner can just log in, ask the operating system what’s installed, what’s running and where. Oliver Rochford ( https://www.securityweek.com/z-vulnerability- management-authenticated-scanning ) offers this excellent non- technical illustration. Imagine you have a choice between opening a box and looking inside, or shaking and prodding it from the outside to guess what it may contain. Imagine further, if you fail to successfully guess the contents of the box, something bad may happen. Something damning, damaging or dangerous. Which choice would you make? It is with unauthenticated vs. authenticated scans. Also called credentialed, logged-in or trusted scanning, an authenticated security scan is performed as a logged-in (authenticated) user. “Authenticated scans determine how secure a network is from an inside vantage point. The method finds many vulnerabilities that cannot be detected through an unauthenticated scan.” (Margaret Rouse – https://whatis.techtarget.com/definition/authenticated- security-scan ) Authenticated Vulnerability Scanning Advantages If the value of authenticated scanning is still unclear, here are some benefits: 1. Authenticated vulnerability scans identify vulnerabilities which are often undetected by unauthenticated scanning. 2. Authentication allows the scanning tool to do its job better. 3. Data harvested by authenticated scans is more accurate. 4. Authenticated scans usually have less impact on a system – since the scanning tool is running with elevated privilege, ports and services respond without hesitation. 5. Regulatory examiners are beginning to recommend authenticated scanning. Now What? First, you need to determine if your existing IT audit firm performs authenticated scans. If you have not been providing your IT auditor with a Windows Active Directory account with elevated privileges (such as Domain Admin group), your scans have been unauthenticated scans. As you select an IT audit firm, in addition to performing authenticated vulnerability scans (confirm they will require the type of account described above), look for a firm: • Whose auditors are certified and experienced • Who will be a partner with you, patiently explaining previously unreported technical findings • Who will provide some guidance/recommendations for mitigating these new deficiencies An IT Audit without an authenticated internal network vulnerability assessment is like fishing with a teeny, tiny hook or shooting a bow with crooked arrows. While you might catch a minnow or hit the target somewhere, you will surely miss the trophy fish and the bullseye. Keith Laughery is an Account Manager for CoNetrix. CoNetrix serves the community banking community by providing information security consulting, IT/GLBA audits and other security testing engagement and through its Tandem Security and Compliance Software, a suite designed to assist community banks with GLBA and other regulatory compliance. CoNetrix has performed almost 3,000 security-testing engagements since 2000 and has almost 1,300 clients from all 50 states. Visit https:// conetrix.com/security or contact Keith at klaughery@conetrix.com or 800-356-6568.