I’ve worked in the IT field for over 30 years. 20 of those years have been spent in the network security field, employed by some of the largest names in the industry. But to my family, I’m still just the guy who “works with computers”.
Many of my family are not computer savvy, which is a nice way of saying I had to teach them where the power button is. However, “Power Button Locator” is just one of my jobs. Windows won’t boot up? Call Chris (“You’re running on a dead battery, Gran”). Browser running slow? Call Chris (“You have 513 tabs open, Uncle Bob”). Windows 10 doesn’t look right? Call Chris (“I keep telling you, Dad, you have an iPad”).
I have an antivirus; I’m protected, right?
By far, the biggest question I get is, “I have an antivirus; I’m protected, right?”.
Of course, the answer to that is always the same – “Maybe”. They do have an antivirus installed, usually the one that came pre-installed. But they never update the signatures. Or they neglected to register. Or they didn’t realize they had to set up scheduled scanning.
In other words, they had the tool, but they didn’t know how to use it.
The same can be said of a lot of companies. They have the tool, but they failed to put a process in place to use them efficiently.
They have a vulnerability scanner, but they don’t have compliance software. Or they have compliance software but didn’t install a vulnerability scanner. The two are not the same. Each are used for different purposes, and while they may occasionally cross-over into each other’s territory, you’re only getting half the picture of your security if you don’t have both in your environment.
Sometimes they have both tools, but they don’t have a proper process for updating. A scanner is only as good as its latest update, particularly when we’re talking about updates to what it’s looking for. You’re not going to detect vulnerabilities discovered this month if you’re using a database of vulnerabilities that was last updated in January.
Using your security and vulnerability tools correctly
Are you meeting your tools requirements? Credentialled access usually comes into play here. Many tools require you enter a credential for the machine you want to scan. If you don’t, you’ll get nothing but low-level vulnerabilities. You may think to yourself that this machine is clean because it returned no vulns. It’s not. The tool just couldn’t get access to scan. The biggest reason I hear from customers when they do this is, “I want to know what a hacker can see”, to which I always respond, “Your tool isn’t a hacker.” Not being able to see the vulnerabilities from the other side of the internet does not mean they aren’t there. And simply because Hacker Joe couldn’t hack into your system to exploit them, doesn’t mean that Hacker Frank won’t.
I’d say the biggest mis-step customers make with their vulnerability tools isn’t configuring the software but coming up with a proper plan for scanning their numerous networks. Are you creating scan policies per network, or are you creating one giant policy that scans everything? Don’t. When it comes to vulnerability scanning, one size does not fit all. Which vulnerabilities are you scanning for? Using that Windows scan policy against your Linux servers will miss a lot of vulnerabilities and cause false positives. Does your network password policy only allow for three wrong logins, but you’re running 25 password checks with your scanner? Get ready for a lot of account lockouts.
When deploying your scanner, don’t just look at how you configure the machinations of the scanning software, but also look at each network to be scanned and figure out what scan policy would work best.
A policy that’s too big will slow down your scanning. A policy that’s too small will miss a lot of vulnerabilities. So take it from the guy who “works with computers”– as network security experts, it’s our responsibility to ensure we have setup the software correctly, we’re looking for the correct vulnerabilities, and we’ve configured our scan policies to scan the way we need it to on a per-network basis. Otherwise, we’ll have the tool installed, but we won’t know how to use it.