Onega Managed Vulnerability Scanning Services

Good security in IT is about multiple layers of defence, focus and active management in order to minimise risks to your organisation’s systems. It is also about plain old common sense and context. One aspect to this is making sure that you are not presenting any low hanging fruit for bad actors to exploit to gain foothold access to your computer network. In 2021 Ransomware attacks are still prevalent and can be devastating to an organisations ability to function normally.

In the vast number of cases the initial entry is via a weak link in the chain. This might be a non critical ‘testing’ server, a system not regularly used or systems on course for retirement etc. Equally it could be via unpatched vulnerabilities in a primary server or where a patch has been applied but for whatever reason is not successful in closing off a vulnerability (failed patch).

To maintain security, discover, highlight and manage these risks, we can provide a Managed Vulnerability Scanning Service. This is currently powered by Qualys who are leaders in the field and used by many grade A banks, other leading websites and e-tailors.

Under the service, we can help you scan your networks from an external perspective - to discover and probe devices and servers connected to and accessible via the Internet at your offices or data centres. This gives the same view that a hacker would have when looking for ways into your network and allows for issues to be discovered, managed and resolved as part of routine operations cycles. The fact that there might be vulnerabilities on your network is a fact of life. New vulnerabilities are discovered over time as they come to light so under a well managed IT regime there has to be a cycle to keep on top of these so that servers, applications, routers, switches, firewalls, printers (which are small computers in themselves), CCTV systems (again small computers these days in every camera) etc. are tested, and issues discovered managed and resolved. Key is that it is your company managing and resolving the issues rather than criminals exploiting them.

This, like much of IT security is a matter of good procedural management and processes to embed these aspects of security into routine cycles. If you have a computer network then we can also scan internally within the network to see what devices are potentially vulnerable also. This too is key to good security as many exploits work by gaining a foothold in one part of the system and then internally stepping across to other systems to potentially compromise an entire network.

The BBC have a very good ‘File on Four’ Episode on Radio 4 which is available online and we’d urge you to listen to this as 30 minutes well spent to understand what can happen if you suffer a cyber attack with either ransomware (where files are encrypted so that you can only access your data once you have paid) or data theft whereby your private files, contacts, contracts and emails etc. are copied off and may be released for the world (your customers, clients, press & competitors) all to see online and do what they will with them.

The internal scanning lets you address these possible stepping stones so that you don’t have as many routes through your systems to access your key data. It works by deploying a virtual machine (or can be a physical machine) as a scan appliance and running the same tests which would be run by the Qualys Cloud scanners against your external network and web servers to your internal networks. The results are then graded, described and reported to allow for vulnerabilities to be addressed. Beyond external hackers, in some scenarios there have also been situations whereby attackers gain physical access (in banking, office, retail or event space environments for example to a network port and then quietly move around the network from the inside. Not long ago there was a daring heist that resulted in the loss of tens of millions of euros from a number of Eastern European banks from this method which was widely reported on ZDNet and in other parts of the media.

The pattern with cyber crime is often that the biggest targets are hit first by a new style of attack (where the bounty is richest of course) and then smaller SME organisations who may be equally disrupted or potentially brought to their knees by a major ransomware or similar cyber incident. Criminals have also been particularly targeting medical facilities and infrastucture organisations like in the high profile US Colonial Pipeline attack but really they don’t care about who they attack if there is a chance of a hansom ransom reward.

The key takeaway from the majority of these attacks is that they could have been prevented. Not all attacks can be prevented nor would we warrant that implementing vulnerability scanning will stop you being attacked, but having an active managed process for regular vulnerability scanning (and of course acting on this) greatly reduces your risk of being abused. This is also alongside other measures for security in the stack of user training, good password management practices, MFA / 2FA, Firewall gateway security, cloud security, endpoint antivirus & anti malware / anti ransom tools etc.

If you have CyberInsurance (which is a whole different debate as to the pros and cons of this) then increasingly they have requirements to validate the cover that you should be executing a system of vulnerability management. This is for good reason that it is in your joint interest as cover holder, as well as that of the underwriter, that risks need to be managed to keep premiums and payouts down. There have been cases of claims (payouts) for cyber insurance being declined because the measures noted on the proposal forms were not able to be demonstrated or proved on investigation. When we implement the Onega managed vulnerability scanning and management system this greatly reduces that risk as you are scanning and managing systems and this is witnessed by scan reports, remediations and rescans confirming vulnerabilities cleared.

How does the managed vulnerability scanning service compare and cross over with other related IT security activities?

Managed Vulnerability Scanning Vs Web Application Scanning - This is important to understand. Vulnerability scanning probes your network (internally and externally as agreed) against a huge library of known vulnerabilities and reports against these. It does not investigate specific custom web applications (or other business applications) so for example if the password for your ebanking account was ‘password123’ then it would not catch that, nor if you have a (as has been the case!) banking applications that allows a user to send a payment for minus amounts to other account holders at the same bank etc. For the former case good password management / MFA is needed, and web application scanning for the latter (which we can also help with seperately).

Managed Vulnerability Scanning Vs Pen Testing (Penetration Testing) - Many mature organisations run annual or otherwise regular pen tests against their networks. Normally these are done with expert independent security consultants, and Onega often help clients with these engagements. The pen test consultants look at the whole systems to identify potential access points and risk areas to address. They will often use a vulnerability scanning system as part of their arsenal to analyse your network. If you are already managing vulnerabilities then this part should be reduced in that hopefully there should be less for them to discover if many of the risks you have addressed already. There is a chance that different tools may highlight different risks which is to be welcomed but overall the pen testers will be able to focus on areas of higher risk / value if you already have vulnerability management covered (otherwise you may be paying them a lot of money for them to tell you that you are not addressing the basics).

How does Onega’s Managed Vulnerability Scanning Service work?

We first discuss with you the scope of what is practical and logical (appropriate) to scan so far as internal, external network surfaces go, and how often the scans should be done for your risk context. Based on this we can then cost the solution.

Factors thus we need to discuss and agree with you for scoping:

  • Networks to be scanned (subnets) internally and externally (size of network).

  • Frequency of scanning (ie weekly / monthly etc.)

  • Level of service - ie if you have internal resource to address and resolve the vulnerabilities highlighted or if you would like us to assist with this (typically on a time as used or block hours basis).

As an illustration of costs though, we have a couple of examples here:

  • Monthly scanning on external Internet connected network for an SME with management reporting, liaison with internal IT on resolutions £120 per month ex VAT.

  • 2x /24 Subnets internally with 100 devices on across two connected sites (mixture of computers, servers, network switches, routers, wireless APs, printers, access control & CCTV systems, and externally facing (Internet) connections with weekly vulnerability scanning and management reporting £550 per month ex VAT.

    These are with remote service delivery & normally subject to a 12 month initial term.

To sum up benefits of regular vulnerability scanning:

  • Known vulnerabilities are flagged and can thus be remedied.

  • New vulnerabilities can be resolved.

  • Error from any misconfiguration or ‘temporary workarounds’ are caught and flagged for resolution (ie if a firmware update is applied to a device the system can actually test it resolves a vulnerability rather than just trusting the vendor (so we ‘Trust but Verify’)

  • Regular process minimises time of exposure to emerging threats. (For reference hacks to Boeng, NHS etc. recently would likely not have occurred if these mitigations were in place already. )

  • Second check to patch processes to verify operations activities are effective.

  • Requirement of Cyber Insurance satisfied

  • Significantly reduced risk of exposure to IT threats (alongside other IT security measures well implemented)

If you would like to discuss how a managed vulnerability scanning process could help maintain security in your organisation please do contact us and we’d be very happy to run through this with you. Remember our mantra that there are no stupid questions in IT so if anything is unclear we will be very happy to explain further. Rather than putting it off, why not call us now on 0207 536 6350 (UK) or 646 475 2118 (USA)?

Thanks to Allan Hopkins via Flickr for the header image here of the Brazilian Three-banded Armadillo (Tolypeutes tricinctus)