Tactical Advice

The Pros and Cons of Vulnerability Scanning

Passing a scan does not necessarily guarantee your company’s security.

Vulnerability scanning is a staple of information security, but no software is perfect. Vulnerabilities are discovered on a daily basis — possibly exposing critical systems or data to exploit and compromise — so it is essential that IT admins identify those vulnerabilities and manage the associated risks. However, it is equally imperative that IT admins not fall for the trap of assuming that passing a vulnerability scan guarantees security.

There are different types of vulnerability scanners that operate at different levels of invasiveness. Some simple scanners just check the Windows Registry and software version information to determine whether the latest patches and updates have been applied. More comprehensive vulnerability scanning involves actually poking and prodding the system to determine whether it is truly vulnerable.

In either case, vulnerability scanners are a bit like antivirus software. They rely on a database of known vulnerabilities and are only as valid as the latest update. Checking your systems using outdated or inferior vulnerability scanning software can provide a false sense of security and offers little solace against current threats.

"The problem is that what you want to do is prove something is secure, which you can't do by any amount of testing for vulnerabilities,” says Marcus Ranum, chief security officer of Tenable Security. “We need software and operating systems that offer reasonable guarantees of integrity, but instead we've got plug-and-play USB, auto-run, etc.”

The result can become a game of Whac-A-Mole — an endless cycle of identifying vulnerabilities and then racing against the clock to patch them before attackers develop exploits for them.

"I certainly agree that vulnerability scanning isn't a silver bullet,” says Gordon "Fyodor" Lyon, creator of Internet security resource site NMap. “But firewalls won't solve all your problems either; both are important components of any network security strategy.”

Stressing the value of vulnerability scanning, Lyon also points out that attackers looking to infiltrate and compromise networks are using vulnerability scanners to identify weaknesses. So, even if a vulnerability scan is not a perfect security solution, it is at least a tool that can help proactively identify issues and resolve them before attackers have a chance to exploit them.

Ranum agrees that vulnerability scanning is a valuable tool. But he stresses that having a vulnerability scanner that is capable of detecting poor code, though it helps, is not a substitute for secure coding practices.

An Ongoing Process

Still, it is crucial for IT admins to understand that they can't scan for a negative. In other words, a vulnerability scan might prove that a network or PC is protected against the vulnerabilities scanned for, but that doesn't mean it is completely secure.

Think of it as similar to locking down a building. You can walk around and verify that all the doors and windows you are aware of are locked. However, an attacker could still find a door or window that you missed or come in through the air ducts. In other words, all you can say for sure is that the doors and windows you checked are secure, but you can't guarantee that there is absolutely no way into the building.

Gary Davis, senior group manager for McAfee's Risk and Compliance group, explains that vulnerabilities are constantly surfacing, so vulnerability scanning has to be performed on a regular basis. “It's like brushing your teeth — just because you did it yesterday doesn't mean you don't have to do it today as well.”

However, Davis also points out that the results of a vulnerability scan are only as valuable as the willingness of the IT admin to accept the results and act on them. Simply identifying vulnerabilities might be enlightening, but in and of itself it does very little to reduce your risk or improve your security, he adds.

In fact, depending on which compliance mandates your company falls under, vulnerability scanning may not be optional. For example, PCI-DSS requires periodic vulnerability scans be performed, so any organization that stores, processes or transmits credit card data is expected to perform vulnerability scans.

Sign up for our e-newsletter

About the Author

Tony Bradley

Tony Bradley

Tony Bradley writes and blogs on network security and other technology topics. You can follow Tony on his Facebook page, or contact him by e-mail at tony_bradley@pcworld.com. He also tweets as @TheTonyBradley.

Security

Three Ways to Integrate Fire... |
Follow these tips to align the devices with log management and incident tracking systems.
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...