There’s a saying that experience is something you don’t get until just after you need it. It’s so true, especially in the context of information security and, specifically, network security testing. If you have any experience running vulnerability scans, you’ve no doubt been down that road with me. You know, the one where you scan the wrong systems. Or you scan the right systems at the wrong time. Then trouble arises and you have to explain yourself.

As Ralph Waldo Emerson said, skill to do comes of doing. Just about anyone can run a network vulnerability scan in its most rudimentary form. It’s click and go. But as with the carpenter, doctor, or engineer, there’s a lot more to the security assessment equation that you don’t learn until you experience it. In the interest of minimizing your time and effort and, most importantly, your mistakes when running network vulnerability scans, here are 7 things you need to be aware of:

  1. Make sure you’re testing what matters. Many people focus on scanning just what’s required to check that box for compliance (i.e. the cardholder data environment) and nothing else. I’m of the belief that if a vulnerability is fair game for a criminal hacker to seek out then it needs to be fair game for you to test for as well. Start with your critical business systems and work your way out from there.
  1. Scanning a flat network is very different than scanning a complex layered or segmented network, especially when multiple locations are involved. You need to be sure you’re scanning all areas of your network that matter, even if it requires you to physically move your scanning system or add various scanner sensors throughout your network. You also need to look at the network as a whole and rate your vulnerabilities and exploitations keeping that in mind. Just because one system has one glaring flaw doesn’t mean it’s a huge business risk. Many of our peers love to see things in black and white by claiming that all flaws are critical problems but the real world doesn’t work that way.
  1. You can’t afford to skip denial of service (DoS) testing. Scanner policies that include DoS checks certainly create risks but they’re also going to find flaws that the “safe” policies won’t. Just because a scan might cause a system to crash doesn’t mean that it’s not a problem for the business. I’ve been asked many times to not scan “critical” systems to prevent downtime. In the end, if someone is concerned about scanning fragile systems, ask them what’s keeping someone else from running that same scan that creates that same perceived risk. The possibility for trouble always exists and that there’s no guarantee of results but you can control these factors if you’re smart about your approach.
  1. Network vulnerability scanners are not going to find everything. Scanners are getting better and better but there’s no replacement for a scanner combined with a well-trained eye.
  1. Unless and until you’ve performed authenticated scans of all possible network hosts (servers, workstations, databases, etc.), you can’t say that you’ve looked at everything.
  1. Scans are time sensitive. They’re merely a snapshot of the way things existed at the very moment the scans were run. Threats, security operations, and even network architectures are always in a state of flux. What was or wasn’t a vulnerability yesterday may be something totally different today.
  1. Advance planning means everything. Improperly set expectations is a sure-fire way to let others down and make yourself look bad. Know what you’re testing and when you’ll be testing and be sure to communicate that to everyone involved the entire time you’re performing your testing.

If you go into your projects knowing these things, you’ll surely get better and that’s what counts the most.  When doing a network assessment, don’t forget to scan the perimeter servers too. This can be done using Acunetix Online Vulnerability Scanner, which includes 2 free perimeter network scans with each trial.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.