Last month we sat with Patrick Carolan to gain a better understanding of penetration testing, and this week we decided to do something similar with vulnerability scanning. CRIBB Cyber Security have recently refreshed their reporting on this, producing a top-level version for management and a more detailed breakdown for those tasked with tackling the vulnerabilities…
Patrick, what is vulnerability scanning?
Vulnerability scanning is a security technique which is used to find security weaknesses in a computer system. It can be used for security purposes, or it can be used by hackers / cyber criminals.
How is vulnerability scanning carried out?
Firstly, you would either need to have a robust vulnerability scanning program in place or be outsourcing the scanning to experts. Here at CRIBB Cyber Security, we have been in the process of refining our own vulnerability & compliance service and are now far happier with it; for example, the reports we produce after each scan are now tailored towards management – who typically just want the top line figures – and the people ‘on the front line’, the ones who are going to have to drill down into the vulnerabilities that are uncovered. Those reports are far more detailed, as you can imagine.
How do you structure a typical vulnerability scan?
We will look at the key areas for each individual business, which normally consists of external analysis, internal analysis – which is office and data centre – and also website analysis, because the use of web applications nowadays is absolutely huge and that makes them a very appealing target for cyber-attackers.
Could you walk us through a recent example of the revamped vulnerability scan report?
I couldn’t reveal names or exact details because each report is strictly confidential. Plus, if I did tell you then everyone would think they could do it themselves… Although that being said, I can give you a hypothetical account if you’d like.
That would be wonderful.
As I said before, I would produce a detailed report and then also more of an overview-style report, which management tend to prefer. That management version would start off with a brief summary of the work and some information abut CRIBB Cyber Security and theICEway ecosystem that we form a part of. It would then break down the RAG detection methodology that we employ for all vulnerability scans.
The RAG detection methodology? That sounds like a new-wave band.
You’re not funny. RAG stands for RED, AMBER and GREEN.
Oh, so it’s the traffic light system?
No, it’s the RAG detection methodology.
So RED is the most serious possible threat, meaning that your infrastructure could be compromised, AMBER is used when there is something you will need to investigate but which might have mitigating controls present, and GREEN means that there are no vulnerabilities.
Before we continue on vulnerability, pen testing is often quoted in the same conversations – could you perhaps therefore elaborate a little for us on the difference between vulnerability scanning and penetration testing?
These are often confused when they are actually quite different; whereas vulnerability scanning at its heart looks to identify any systems with known vulnerabilities, a penetration test on the other hand looks to uncover weaknesses in specific system configurations, in organisational processes and in practices – all of which can be exploited to compromise security.
Fair enough; we may cover that debate in more detail in future but for now, could you please finish going through this hypothetical report?
Yes, where was I?
Traffic – ahem, ‘RAGs’...
Correct. The management report basically serves up an overview of the external vulnerabilities, which include perimeter devices, web servers, applications and encryption technology, listing out the number of confirmed, potential and total vulnerabilities and providing a security risk score.
Then it would do the same for the internal office, looking to see how an individual located within a company might be able to exploit the company’s data assets and network.
After that it would have a section on the internal data centre, and then the website or websites – so it’s got a very straightforward approach to a subject that is actually quite complex, which we find is very desirable for management teams. The detailed report is certainly a lot thicker, that’s for sure!
For more information on vulnerability & compliance with CRIBB Cyber Security, contact one of our experts today…