Vulnerability Management, Security Strategy, Plan, Budget

How to meet the challenges behind vulnerability scans and reports

The PCI DSS standard requires companies to conduct quarterly vulnerability scans. Today’s columnist, KS Smith of AT&T Cybersecurity, offers a strategy for getting the most out of vulnerability scan reports. (Credit: Getty Images john_99)

Vulnerability scan reports deliver an overview of the current vulnerabilities that exist in an environment. These reports are valuable to executives, IT administrators, security teams, and compliance professionals to highlight additional data points and show the progress made remediating previously detected vulnerabilities. Typically, vulnerability scans are static snapshots of scan data, but security pros can manually sort or automatically rank them using a scoring system to prioritize and identify critical threats. While vulnerability scans help identify, measure, and track these threats, if the results fall into the wrong hands, bad actors can use the information against an organization. The industry also needs a greater understanding of the uses and limitations of vulnerability scan reports for organizations to best leverage their benefits.

Risks with vulnerability reports

Vulnerability reports often contain static data, so there are security risks if the information gets intercepted by an adversary because of the sensitive nature of the information captured – especially once it has been shared. While some reports contain a high-level summary of the findings, others contain complete details about the vulnerabilities and every asset found. In addition, they may include references detailing how to exploit the vulnerability linked to the real exploits used. Malicious actors can exploit the information by finding unencrypted emails with the reports or data in insecurely stored environments. To prevent this, organizations should encrypt emails and other messages containing vulnerability scan results and ensure they are stored in a highly secure location.

Also, important to note, some scans look for misconfigurations or configuration drift on a particular host. If new vulnerabilities are identified or changes are made to the host, reports may not reflect all current known vulnerabilities and misconfigurations. It’s wrong to assume with static reports, that if the assets and hosts are unchanged, the current scan data will always remain accurate. A recent survey found that in the first half of 2021, an average of 80 new vulnerabilities appeared each day. With such vulnerabilities discovered daily, each one requires more evaluation on the host or a new report to understand the priority of the vulnerabilities, making yesterday’s report unreliable.

The benefits of vulnerability scans

Although using and transmitting vulnerability data with reports may pose potential threats and can lead to additional vulnerabilities if not protected properly, there are also many benefits including prioritizing remediation efforts. By rating different remediation efforts in progress, vulnerability data and risk ratings can help companies prioritize which vulnerabilities are most pressing since difficulties can vary based on the company’s structure and available resources. The priorities can vary depending on the organization, but many use the Common Vulnerability Scoring System (CVSS) score to classify the difficulties. Some of the scanning tools used to test vulnerabilities can also apply unique ranking systems or severity grades based on public vulnerability data and internal data specific to the scanning tool used. Once the reports are generated and sorted by severity, teams can analyze the list of vulnerabilities and start remediation efforts.

Companies with a fully-fledged vulnerability management program will often rank vulnerabilities using a risk-based approach to determine their specific organization's threats. One of these factors could be mission-critical assets used in daily operations, such as a web-based server for an e-commerce website. Other factors could involve the location of the asset, such as if it’s on the perimeter of the network, internal, or in a high-security enclave. These different locations present unique elements to consider in the risk assessment.

Fortunately, vulnerability detection today can also offer a more accurate and complete way to gather, sort, and evaluate scan data in near real-time. The real-time nature of the data requires different methods to digest details around each vulnerability, and as a result, security teams can develop dynamic dashboards for specific use cases with options to tailor the platform for a range of users with unique roles and responsibilities. The security analysts can update the dashboards in near real-time using more robust vulnerability discovery tools. For example, an executive can access a high-level, read-only report, whereas the compliance team can have a more compliance-focused report, and the IT department can use an operational report.

While many organizations use vulnerability scans to understand the current vulnerabilities in an environment, it could lead to more vulnerabilities and cyberattacks if the challenges with such reports are not fully understood. Once these challenges and potential threats are addressed, organizations can properly capitalize on the benefits vulnerability scanning and prioritization can offer, leading to stronger cyber protection for the entire organization.

KS Smith, senior cybersecurity consultant, AT&T Cybersecurity

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.