Internal Vulnerability Assessment
Essentials
Vulnerability Scans are security assessments that identify known network,
operating system, web application and web server exploits/vulnerabilities
with the use of automated tools. Internal vulnerability scans can give you
an overall picture of the vulnerabilities present on your internal network
and assist in vulnerability risk management. SecureState offers two types of
Vulnerability Scans; one scans with validation of the findings, and the
other scans without validation of the findings. SecureState recommends all
vulnerability scans include validation of the vulnerabilities. Read the
benefits section to learn the difference between the two and why we always
recommend validation.
- Internal vulnerability scans find an organization’s vulnerabilities
- Internal vulnerability scans identify the type and severity of the
vulnerabilities
Benefits
Many organizations do not know the vulnerabilities present on their
internal network. Without knowing what vulnerabilities are present, it is
impossible to mitigate those vulnerabilities and generate a baseline of
internal systems. To prevent a data breach, the organization must verify
that they are not exposed to security vulnerabilities which may aid an
attacker in compromising the organization’s data. Additionally, the type and
severity of the vulnerabilities are identified to help prioritize
remediation efforts and strengthen the organization's risk management
program.
Vulnerability scans can include validation of the vulnerabilities or
exclude validation of the vulnerabilities. Many times vulnerability scanners
report a large number of false positives. Determining what vulnerabilities
are false positives and what vulnerabilities actually pose a threat to the
organization can take a substantial amount of time and resources. When
validating the vulnerabilities discovered, SecureState manually checks to
make sure all of the discovered vulnerabilities are truly present. This
eliminates false positives and gives you an actionable list of
vulnerabilities to remediate. SecureState highly recommends all
vulnerability scans be validated.
Expertise
SecureState’s consultants are experts in vulnerability scanning;
currently certified as a PCI ASV scan vendor. The same level of rigor
required of an ASV scan is applied to all vulnerability scans SecureState
performs. Additionally, SecureState uses only the best commercial security
assessment tools available, constantly tested by our team, to give you the
best vulnerability scanning service available. Finally, recommendations for
fixing vulnerabilities found during the scan are reviewed by SecureState’s
penetration testing team and remediation experts to ensure you get expert
advice that takes into account, the attacker’s and defender’s point of view.
Did You Know?
- Remove validation of vulnerabilities may save money in the cost of the
scan, but will cost more over time as your IT continues to track down false
positives
- The needed frequency of a vulnerability scan may vary based on your
environment. In general, SecureState recommends performing monthly external
vulnerability scans
- Even the best commercial vulnerability scanners can have a 40% false
positive rate which is why SecureState recommends validating the results of
all vulnerability scans
- SecureState will not perform denial of service attacks while performing
a vulnerability scan
- Internal vulnerability scans can be used to determine how well MSBs are
being applied to internal systems
- When done properly, creating and applying MSBs to internal systems can
increase the value of internal vulnerability scans by providing a baseline
to measure scan results against