The Pros and Cons of Vulnerability Scanning

Passing a scan does not necessarily guarantee your organization's security.

Vulnerability scanning is a staple of information security, but no software is perfect. Vulnerabilities are discovered on a daily basis – possibly exposing critical systems or data to exploit and compromise – so it is essential that IT admins identify those vulnerabilities and manage the associated risks. However, it is equally imperative that IT admins not fall for the trap of assuming that passing a vulnerability scan guarantees security.

There are different types of vulnerability scanners that operate at different levels of invasiveness. Some simple scanners just check the Windows Registry and software version information to determine whether the latest patches and updates have been applied. More comprehensive vulnerability scanning involves actually poking and prodding the system to determine whether it is truly vulnerable.

In either case, vulnerability scanners are a bit like antivirus software. They rely on a database of known vulnerabilities and are only as valid as the latest update. Checking your systems using outdated or inferior vulnerability scanning software can provide a false sense of security and offers little solace against current threats.

"The problem is that what you want to do is prove something is secure, which you can't do by any amount of testing for vulnerabilities," says Marcus Ranum, chief security officer of Tenable Security. "We need software and operating systems that offer reasonable guarantees of integrity, but instead we've got plug-and-play USB, auto-run, etc."

The result can become a game of Whac-A-Mole – an endless cycle of identifying vulnerabilities and then racing against the clock to patch them before attackers develop exploits for them.

"I certainly agree that vulnerability scanning isn't a silver bullet," says Gordon "Fyodor" Lyon, creator of Internet security resource site NMap. "But firewalls won't solve all your problems either; both are important components of any network security strategy."

Stressing the value of vulnerability scanning, Lyon also points out that attackers looking to infiltrate and compromise networks are using vulnerability scanners to identify weaknesses. So, even if a vulnerability scan is not a perfect security solution, it is at least a tool that can help proactively identify issues and resolve them before attackers have a chance to exploit them.

Ranum agrees that vulnerability scanning is a valuable tool. But he stresses that having a vulnerability scanner that is capable of detecting poor code, though it helps, is not a substitute for secure coding practices.

An Ongoing Process

Still, it is crucial for IT admins to understand that they can't scan for a negative. In other words, a vulnerability scan might prove that a network or PC is protected against the vulnerabilities scanned for, but that doesn't mean it is completely secure.

Think of it as similar to locking down a building. You can walk around and verify that all the doors and windows you are aware of are locked. However, an attacker could still find a door or window that you missed or come in through the air ducts. In other words, all you can say for sure is that the doors and windows you checked are secure, but you can't guarantee that there is absolutely no way into the building.

Gary Davis, senior group manager for McAfee's Risk and Compliance group, explains that vulnerabilities are constantly surfacing, so vulnerability scanning has to be performed on a regular basis. "It's like brushing your teeth – just because you did it yesterday doesn't mean you don't have to do it today as well."

However, Davis also points out that the results of a vulnerability scan are only as valuable as the willingness of the IT admin to accept the results and act on them. Simply identifying vulnerabilities might be enlightening, but in and of itself it does very little to reduce your risk or improve your security, he adds.

In fact, depending on which compliance mandates your company falls under, vulnerability scanning may not be optional. For example, PCI-DSS requires periodic vulnerability scans be performed, so any organization that stores, processes or transmits credit card data is

Best Practices for Vulnerability Scanning

For vulnerability scanning to be effective, administrators must do three things:

  • Recognize that vulnerability scanning is a tool, not a silver bullet. IT admins must understand that a vulnerability scan proves only that a given network or system is vulnerable to the set of flaws tested for; other weaknesses might still exist.
  • Act on the results. Vulnerable systems should be patched or updated if possible to address the identified vulnerabilities. For flaws that don't have an applicable patch, or for systems that can't be updated for some reason, the identified risk should be taken into account and additional mitigation steps should be taken to minimize the exposure of the vulnerable system.
  • Repeat the scans on a regular basis. There is no magic number for how often to run a vulnerability scan. It varies from organization to organization.
Mar 31 2011