Services

Kearney & Company provides a variety of financial services to the Federal Government, including financial statement audits, IT audits, and various consulting services. For more information regarding what services we offer, click here.


Careers

Kearney & Company is consistently rated a Best Place to Work. One of the top CPA firms in the country, Kearney & Company is ideal for those looking to start or grow their careers. For a full listing of open positions, click here.

Vulnerability Scanning: Understanding and Interpreting Results

Vulnerability scanning can seem like a daunting task, but protecting the data is of the utmost importance in today’s ever-expanding digital world.

Vulnerability Scanning: Understanding and Interpreting Results

By Ali Booher, Matthew Davidson, Chris Heasly

More than 2.5 quintillion bytes of data are created every day.(1) Keeping that much data safe requires ongoing assurance that the systems and platforms hosting the data are free from vulnerabilities that would enable a malicious actor to exfiltrate the data. One of the best ways to accomplish this is through vulnerability scanning. According to the National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC),(2) vulnerability scanning is a technique used to identify hosts/host attributes and associated susceptibilities. The technique does not address the questions of what a vulnerability is and, if scanning identifies a vulnerability in a system or environment, how an organization determines its impact and the actions necessary to remediate the weakness. Therefore, the intent of this article is to provide a better understanding of the vulnerability scanning and remediation process, specifically in the following areas:

  • Provide a more detailed explanation of the vulnerability scanning process
  • Offer a few tips, tricks, and thoughts on how to interpret vulnerability scanning results
  • Recommend strategies for remediating vulnerabilities.

What is Vulnerability Scanning?

Describing the concept of vulnerability scanning is complicated, but technical terms aside, it simply means the identification of some flaw in a system or network that would allow an unauthorized individual to gain access to the system, network, or data. These flaws stem from a variety of sources; however, the most common are associated with untimely implementation of vendor patches, misconfigured baseline configurations, and insecure source code. The sole commonality these three sources (and all remaining sources) have in common is that it is inefficient for a human to identify these weaknesses without the help of technology.

The risk of untimely implementation of IT corrections and the inefficiencies of manual reviews ultimately led to the development of vulnerability scanning software. Software automates the process of searching for weaknesses and allows for the gamut of scan types, ranging from a full network scan to a targeted scan on a particular machine. Additionally, software enables scans to identify all potential vulnerabilities or to determine whether a single, newly released vulnerability is present in an environment. The key to effective vulnerability scanning is the configuration of the scan parameters to ensure the appropriate scope, commensurate with the risk appetite, which enables meaningful and actionable results.

Interpreting Vulnerability Scanning Results

There are dozens of terms resulting from the conclusion of a vulnerability scan to inform on the severity of the vulnerabilities identified and how to best remediate them (e.g., Critical, High, Moderate, Low, Attack Vector, Common Vulnerability Scoring System [CVSS] Score). However, before ingesting the data comprising the identified vulnerabilities, users should validate that the scan achieved its objective. By utilizing a combination of evaluating scan parameters and results themselves, users can quickly identify the following to validate the meaningfulness of the results:

  1. Completeness
    a. Did the scan run using the appropriate credentials (i.e., did the username and password provided enable the right access to the subject system)?
    b. Were there any checks that did not run?
  2. Accuracy
    a. Do the host names appear familiar or, if the environment is highly virtualized, does the number of hosts (i.e., machines/servers) appear to be consistent with expectations, and does the naming convention appear familiar?
    b. Are the operating systems and underlying software identified by the scanner consistent with the environment?
  3. Variance
    a. Are any of the above factors significantly different when reviewed on a month-over-month basis?

After identifying vulnerabilities in the environment, the next step is confirming there is a problem before determining if a fix must be implemented. The results of vulnerability scans afford the opportunity to strengthen the security posture of the users’ system and networks. When reviewing the results, using a variety of lenses, dependent upon the scan types, can help to determine the risk and path forward. For example, a recent vulnerability scan has revealed an “Informational” (i.e., the lowest possible) risk rating. While this might normally be considered a success, diving into the actual output of one of the results informs the user that several accounts are not configured to be disabled due to inactivity. This is a clear violation of established policy and could pose a significant risk, especially if the accounts have escalated privileges.

The bottom line is that a user gets as much value out of the vulnerability scan results that is integrated into the review. A diligent review can provide a clear picture of what needs to be remediated within the environment.

Remediating Vulnerabilities

Remediating identified vulnerabilities can be a daunting task with many questions: what do you fix first? How long will fixes take? Will there be an operational impact resulting from the recommended fix? Luckily, there are many considerations that can help prioritize and customize a remediation plan, including:

  • Significance: Remediating from the software-assigned criticality (i.e., Critical to Low)
  • Prevalence: Remediating based upon the number of hosts affected
  • Impact: Remediating based upon the number of vulnerabilities remediated upon deployment of a given fix
  • Age: Remediating based upon the time since the vulnerability has been discovered.

Regardless of the path chosen, prioritization should be commensurate with the risk appetite of the organization and the potential impact of the fix. The solution may not be to change a configuration or deploy a patch, but it may instead be to accept the risk. A best practice is to leverage the Risk Management Framework(3) and ensure that the selected action is appropriately documented for each vulnerability in accordance with established policy.

Vulnerability scanning can seem like a daunting task, but protecting the data is of the utmost importance in today’s ever-expanding digital world. Therefore, it is critical to leverage vulnerability scanning to help mitigate the risk and, when remediating identified vulnerabilities, remember the “ABC” s of vulnerability scanning: analyze the results, balance fixes with risk, and confirm remediation.

Connect With Us
This publication is for informational purposes only and does not constitute professional advice or services, or an endorsement of any kind. Readers should first consult with a professional before acting with regard to the subjects mentioned herein.  

Kearney & Company, P.C. (Kearney) is a Certified Public Accounting (CPA) firm focused on providing accounting and consulting services to the Government.

(1) https://csrc.nist.gov/glossary
(2) https://csrc.nist.gov/projects/risk-management/about-rmf
(3) https://csrc.nist.gov/projects/risk-management/about-rmf