OFFICIAL PUBLICATION OF THE KANSAS BANKERS ASSOCIATION

Pub. 9 2020 Issue 6

to-scan-or-not-to-scan

To Scan or Not to Scan. That Is No Longer the Question!

Well, maybe it used to be the question, but it is no longer a question to be asked. Scanning your network is an essential part of your security protocol to ensure that customer information is secured. So, since I need to scan my systems for vulnerabilities, where do I start?

There are many good products on the market to test for system vulnerabilities. The best method is to review different products and decide which product will take care of your needs. Not only does the product need to give you information on what vulnerabilities exist on your network, but it also needs to provide you with reporting that is easy for you to read and understand. A report is only good if you can take the information and make decisions on how to remediate the findings that it observes.

You may be thinking, I do not have the expertise to conduct these scans and read the reports, so what do I do now? This is where you will have to rely on a network vendor or third-party to conduct your scanning. You also need to ensure you have a contract and have conducted your due diligence with this vendor because they will need an administrative account on your network to perform an administrative vulnerability scan. User accounts can be used to scan the systems but will not give you a full representation of all your vulnerabilities. The goal is to mitigate as many vulnerabilities as possible, and a good administrative scan will help you reach this goal.

Now that I have all this information, what do I do? REMEDIATE and DOCUMENT. Yes, those two words you always love to hear that strike fear in the hearts of man. Most, if not all, scanning software will rate the criticality of each vulnerability that is found on the network. Always start with the most critical and work your way down the list. Findings will require a knowledge of the systems you are running and an understanding of how to remediate the vulnerability. If you do not have the expertise to take care of these issues, a network vendor will need to be used at this point. Some findings require changes in Active Directory, registry settings or Group Policy. When changing these settings, making the wrong move can cause tremendous damage to your network. If one of these settings need to be changed, it is always a good practice to change the setting for one computer and test the change to ensure it does not cause issues with existing applications.

Sometimes settings cannot be changed due to the harm it causes in the system. If this is the case, document, document, document. Documentation needs to be completed that reveals the issue, when you will resolve the issue, how the issue was resolved, and then verification that the issue was resolved.

Verification of the resolution is a critical part of the process. If a change is made in Active Directory, how do I know that the change has happened? If there is a change in Group Policy, how do I know if it has propagated to all the systems with the vulnerability? There are multiple ways to verify different vulnerabilities have been remediated, but the best way is to rerun a scan against the system.

So how often do I need to run this scan? The frequency of the scan will be determined by your risk assessment and the size and complexity of your system. Sound familiar? Sounds like a statement that may come from your regulator or through guidance, doesn’t it? If my system is not that complex, I would not have to scan frequently, but if it is complex, open to the outside world, and includes multiple users, I would need to scan more frequently.

New vulnerabilities are being developed all the time, and a system that is scanned and is secure one day may be the target of a new vulnerability the next day. When you are between scans, be sure and keep yourself aware of any new vulnerabilities that may arise, especially those vulnerabilities that target your systems. Keep up to date by receiving emails from publications, vendors and regulators, and attending webinars and seminars that deal with information technology. Sound like a full-time job? It is!

So, to scan or not to scan can never be the question again.

Bret Mills has 22 years of experience in information technology, working 18 years for a community bank, and is currently employed as an audit and security consultant for CoNetrix. Bret has his Security+, CISA and CISSP certifications.

This story appears in Issue 6 2020 of The Kansas Banker Magazine.

Facebook
Twitter
LinkedIn