Organizations should have a process in place to locate and identify vulnerabilities. Vulnerability scanners can be part of the process, but they cannot take the place of vulnerability and penetration testing performed by trained professionals

• Asset criticality - Assets are classified based on the value to the organization. A data inventory also helps to classify assets. Assets with critical data should be classified as such.
• Active vs. passive scanning
  • Passive Scanning - A passive scan silently collects network data to detect vulnerabilities. This method may be more time consuming, but it is less disruptive in the network.
  • Active Scanning - An active scan sends packet data to endpoints to collect data. This method can gather data quicker, but it can be more disruptive on the network.
• Mapping/enumeration - A process of identifying and listing the vulnerabilities that exist on the network.

Vulnerability scanning can sometimes provide incomplete or incorrect information. Here are the different types a scanner can deliver:

• True positive - The scanner correctly identified the vulnerability.
• False positive - The scanner indicated a vulnerability exists, when in fact, it does not.
• True negative - The scanner correctly indicated no vulnerability exists.
• False negative - The scanner indicates no vulnerability, when in fact, there is

Once vulnerabilities are identified, processes should be in place to reduce the risk they pose. Part of the process is prioritizing vulnerabilities based on the impact and likelihood of each.

• Configuration baseline - A minimum baseline of security settings that are required for devices on the network.
• Patching - Software patches are released by vendors that fix code issues or close security loopholes. Having a patch management life cycle that tests patches before deployment to production systems can help reduce downtime.
• Hardening - The process of removing or blocking any unnecessary application, service, or port.
• Compensating controls - Sometimes a vulnerability can not be eliminated, a compensating control is a method that reduces the risk the vulnerability poses.
• Risk acceptance - Sometimes the cost to eliminate a vulnerability exceeds the cost of the dmages, in these or other cases an organization may accept the risk.
• Verification of mitigation - Once a vulnerability has been mitigated, it should be tested to make sure that it is indeed mitigated. Vulnerability scanning is one method to accomplish this.

• Risks associated with scanning activities - Some of the risks of scanning
  • A false sense of security that vulnerability scans are finding all vulnerabilities
  • A scanning database can quickly become outdated
  • Identifying vulnerabilities does not reduce risk, mitigating them does
• Vulnerability feed - RSS feeds that share the latest news and information of vulnerabilities, the National Vulnerability Database is the U.S. Government repository.
• Scope - what is to be scanned, what will be scanned for, and when the scan will occur.
• Credentialed vs. non-credentialed - A credentialed scan will use an account to log in and check installed versions of software on the host along with other checks. An non-credentialed scan will look at the ports that are open and enumerate the software on the port. A credentialed scan will be more complete and have more accurate information.
• Server-based vs. agent-based - A server based scan is a traditional scanner that sends packets to a host. An agent based scan is a piece of software on the host. A server based scan uses more bandwidth, but can see what is running on the ports. An agent based scanner uses less bandwidth but is unable to see network based vulnerabilities.
• Internal vs. external - Internal scans are run from inside the perimeter of the network and external scans are run from the outside of the perimeter. It is important to perform both types of scans to gain a full picture of your attack surface. Internal scans will show more vulnerabilities and would be the view of an adversary has once inside the network. An external scan will show you what adversaries see when they first start probing your network.
• Special considerations
• Types of data - the types of data that you have can inform you on which types of vulnerabilities to scan for (that relate to those data types).
• Technical constraints - scan may be affected by the network structure. Different segments may require multiple scanners.
• Workflow - You may want to run scans when it has the least amount of impact on business workflow, such as in the middle of the night.
• Sensitivity levels - A scanner will report vulnerabilities based on severity, usually following CVSS. Additionally, different assets may be more sensitive to scanning, so scanners allow you to change the sensitivity of the scans so it doesn't knock the system offline.
• Regulatory requirements - different industries require different regulations:
  • Sarbanes-Oxley Act (SOX) - affects any organization that is publicly traded in the United States.
  • Health Insurance Portability and Accountability Act (HIPAA) - affects all healthcare facilities, health insurance companies, and healthcare clearing houses.
  • Gramm-Leach-Bliley Act (GLBA) of 1999 - affects all healthcare facilities, health insurance companies, and healthcare clearing houses.
  • Payment Card Industry Data Security Standard (PCI DSS) - affects all entities that accept cards as a form of payment.
• Segmentation - the process of dividing the network using VLANS and subnets. A scanner may not be able to reach each segment requiring appliances in the segment.
• Intrusion prevention system (IPS), intrusion detection system (IDS), and firewall settings - these devices may affect the outcome of the scan, and may event prevent a scan from hitting a host. Additionally these solutions may be used to identify vulnerabilities.

Sometimes it may not be possible to implement a solution to a vulnerability, such as:

• Memorandum of understanding (MOU) - this is a document between two principals do do something together, sometimes they may contain security requirements that may inhibit remediation.
• Service-level agreement (SLA) - specifies a service to be provided, the cost, and performance expectations. Sometimes they may include specifications that may inhibit remediation.
• Organizational governance - the processes of an organization. Sometimes the process is slow to affect change in an organization which may inhibit remediation.
• Business process interruption - sometimes remediation requires interruption of a service, requiring the remediation to be applied off hours.
• Degrading functionality - sometimes the remediation may introduce more problems that it solves. In these cases another solution may be needed.
• Legacy systems - systems that are older and may not be receiving updates. Sometimes critical business functions rely on legacy systems and cannot be updated.
• Proprietary systems - solutions that have been developed by the organization. Any updates will need to be performed by developers of the organization.