SN-896: Vulnerability scanning

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Lob

What could possibly go wrong?
Nov 7, 2020
161
45
On the topic that @Steve mentioned of the UK NCIC scanning IP ranges in the UK for what lights up (no just web servers), this actually is a good thing and a monster task to perform.

What is important to remember is the appliances will map the entire IP space and will record what answers on many ports (certainly the first 1024). Those answers will be stored and, as long as they are not terribly stale, can be reconciled against identifiers of vulnerabilities (such as new zero day flaws) thus allowing you to know without scanning where your zero days might be located.

Given the public IP space is a little more volatile than a corporate network, stale will happen quickly but it would allow them to perform targetted, quicker scans of the assets/CIs that likely have the flaw to validate whether they do or not.

I've used Qualys in the corporate environment for years and it really scans the entire IP space. You will be surprised what is out there.....!! But once the definitions are updated to incorporate zero days that need patching, you can focus efforts to patch and validate the flaws quickly. I scanned our Internet-facing systems weekly, including provider services.

In the context of the IP space in the UK, I can imagine that they would target certain businesses to fix their problems sharpish and potentially threaten with cutting services if remediation is not performed. It should be but VM is hard and many cannot or will not do it properly.

Getting this right reduces the risk exposure in a massive sense.

Does anyone have an insight into what they are using? Qualys? Tenable? Something else?