Best Practices for Vulnerability Scanning

by Sarah Harvey / May 4th, 2020

Vulnerability management should be a priority in any organization’s information security program so that there’s an established approach for identifying and rating issues affecting in-scope systems in a given environment. Vulnerability scans are a main component of vulnerability management, allowing you to evaluate your systems, software, and infrastructure for unpatched holes and gaps in need of remediation. Let’s talk through some best practices for vulnerability scanning to help you protect your assets.

How Often Should You Perform Vulnerability Scanning?

The frequency of vulnerability scanning depends on a few factors: organizational changes, compliance standards, and security program goals. If your organization is looking to maintain a high level of security, vulnerability scanning needs to be added to your information security program. Vulnerability scans should be conducted after any major system, organization, or infrastructure change to ensure you’re aware of any security gaps. And, of course, to comply with various regulations, annual, quarterly, or monthly vulnerability scanning may be required as part of your  information security program.

Overall, an industry best practice is to perform vulnerability scanning at least once per quarter. Quarterly vulnerability scans tend to catch any major security holes that need to be assessed, but depending on your unique organizational needs, you may end up performing scans monthly or even weekly. The best way to assess vulnerability scanning frequency is to thoroughly understand your own security structure and the threats you face.

Framework Requirements for Vulnerability Scanning

On your compliance journey, you’ll realize many compliance standards include requirements for regular vulnerability scanning. Some standards require a higher frequency of vulnerability scanning than others, yet most include vulnerability management to some degree. You can expect to see requirements for vulnerability scanning from these industry compliance and regulatory standards:

  • ISO 27001: Requires quarterly external and internal vulnerability scans
  • HIPAA: Requires a thorough risk assessment and vulnerability process, which can be identified with vulnerability scanning
  • PCI DSS: Requires quarterly external and internal scans conducted by an ASV (Approved Scanning Vendor)
  • FISMA: Requires documentation and implementation of a vulnerability program to protect the availability, confidentiality, and integrity of IT systems
  • NIST: Requires either quarterly or monthly vulnerability scans depending on the particular NIST framework (8001-171, 800-53, etc.)

How to Perform Vulnerability Scanning

Vulnerability scans are often confused with penetration tests, however they serve different purposes in your information security program. Vulnerability scanning is an automated process designed to highlight issues on a wide range of systems at regular intervals. With vulnerability scans, you can discover issues such as missing patches and vulnerable software packages. Penetration testing, however, is performed in both manual and automated forms with a more targeted goal in mind. Understanding the difference and value of these two tools is important so that you can conduct vulnerability scanning with the right expectations.

Vulnerability scanning is conducted with a variety of tools, such as the tools found in OWASP’s list, that can scan systems for various security vulnerabilities. When you hire someone to conduct your vulnerability scans, you’re hiring someone to use a tool on your system. Sometimes, other auditing firms will charge high fees for “manual vulnerability management,” when in reality, they’re using an automated tool to scan your environment. Don’t be fooled into overpriced services that complete the same scan as any helpful vulnerability scanning tool does.

At KirkpatrickPrice, we pride ourselves on honesty and integrity. When you look to us to perform vulnerability scanning services, you’ll know our processes and tools upfront. You can expect a thorough scan of your networks, system, and equipment to detect and classify any vulnerabilities. Interested in learning more about our vulnerability scanning services? Contact us, today.

More Vulnerability Management Resources

Auditor Insights: Vulnerability Assessments vs Penetration Testing

PCI Requirement 11.2.2 – Perform Quarterly External Vulnerability Scans via an Appropriate Scanning Vendor

10 Ways to Conduct Patch Management