Network Vulnerability Assessments and Scans |
 |
 |
|
How often should we perform network vulnerability assessments on our network? Factors such as network size, number of services, and employee population should be considered in deciding the frequency and scale of vulnerability assessments. After the initial vulnerability assessment, SECNAP auditors meet with client management and IT staff to discuss the potential impacts of the vulnerabilities identified; recommendations for scan frequencies may stem from that discussion. Most clients choose a combination of monthly external scans and quarterly internal scans. Very large organizations often prefer to conduct both internal and external scans on a monthly basis. Do network scans have any impact on the network or network devices? Scans are optimized to have minimal impact on the network and network devices. When performing vulnerability assessments, scans are always run in 'safe mode' and we limit the number of machines and tests that are conducted at the same time. This approach is designed for minimal impact on bandwidth and processing power on the machines being tested. If specifically requested, we can perform scans in 'attack mode,' which may crash services running on a machine but can provide additional useful information. Should we notify our ISP (Internet Service Provider)? Although it's not really necessary for scans on the internal network, you should notify your ISP before public-facing IPs are tested. When a public IP is tested, the scans may appear to the ISP to be actual attack traffic. It's always a good idea to inform them that a test will be taking place, which IPs the test will originate from, and the estimated time period of the scan. In rare cases, it may also be necessary to engage the ISP later for troubleshooting or remediation. Should we notify our Intrusion Detection / Prevention (IDS/IPS) Vendor? Because the scans will likely generate alerts from your IDS/IPS vendor, they should be notified prior to initiation of the scans. Are the tests confidential, and what measures are taken to protect that confidentiality? Before we begin work, security measures are discussed and agreed with the client, including report delivery and client confidentiality. Different delivery options are available, such as CD-ROM and secure client portals. SECNAP will never share the details of client vulnerability assessments with unauthorized individuals. What do you scan for, and are the tests customizable? SECNAP scans for tens of thousands of potential vulnerabilities and we constantly update the database of tests to perform. Generally, clients specify which hosts should be scanned at what times, and defer to us regarding the selection of specific tests to be conducted. How do we resolve security weaknesses found in the scans, and are you capable of helping remediate those issues? For client convenience, tests can be sorted by vulnerability or hostname and are available in a variety of formats. The scan results clearly define which host(s) have a specific vulnerability, and provide a detailed explanation of remediation options, as well as links to information about the bug or vulnerability. If available, SECNAP engineers can later be engaged to assist with remediation as well—consulting on hardware/software fixes or upgrades to resolve specific weaknesses or improve the overall security posture of the business. In addition to network vulnerability assessments, does SECNAP do GLBA, HIPAA or other industry-specific audits? SECNAP performs SOX, GLBA, HIPAA, FACTA and other regulatory-focused audits to assist clients in understanding where their compliance programs are weak and what steps can be taken to strengthen them. The SECNAP audit team has extensive experience in security and compliance audits. Members of the audit team have CISSP, CISA, CISM, and CEH certifications from organizations including ISC2, ISACA and EC-Council. |