In assessing risk, there has been a significant increase in the use of self-scanning tools to identify and assess vulnerabilities, with 41 percent of respondents to “The Cybersecurity Insight Report” by CDW employing solutions such as Microsoft Security Baseline Analyzer, Microsoft System Center Operations Manager or Microsoft System Center Configuration Manager.
Additionally, the percent of respondents who use self-scanning tools to assess web applications and other specific or complex technologies has increased from 20 percent to 31 percent, while self-scanning for vulnerabilities using cybersecurity tools like Tenable’s Nessus has risen from 18 percent to 28 percent.
Government agencies are among those organizations actively scanning and assessing cybersecurity vulnerabilities and risks, which is not surprising, says Doug Robinson, executive director of the National Association of State Chief Information Officers.
“Vulnerability scanning is one of the foundational building blocks, and a general vulnerability assessment approach should be part of the overall cybersecurity program,” Robinson says.
Vulnerability Scanning Extends Limited Budgets and Staff
A main reason for the increased use of these tools can be found in the volume of threats governments and agencies have to deal with. According to Jill Shapiro, senior director of government affairs at Tenable, 16,500 new vulnerabilities were exposed in 2018 — only a small fraction of which had a public exploit available, with even fewer actually leveraged “in the wild.”
“This creates a major vulnerability overload problem for state and local governments where security teams must guess which flaws should be fixed first,” she says. “To compound the problem, many organizations are grappling with a shortage of resources, budget and cybersecurity talent.”
Before any vulnerability scanning can occur, agencies must identify all the assets that are connected to a network. After all, agencies cannot protect things they do not know about, Robinson says. Obtaining this visibility into enterprise assets may be easier said than done for many state and local government agencies.
“Having knowledge of what’s out there and what’s regularly being connected to your network is critical, and that’s a significant challenge for state and large local governments because of the range and the scope of all these assets that are included,” Robinson says. “From the state CIO perspective, getting that inventory done is critical. You have to have a methodology and the tools to do that. You can’t scan anything if you don’t know what assets you’re scanning, starting with the network and moving down to all the endpoints.”
Of course, state and local governments must do more than conduct continuous real-time vulnerability tests to identify risk.
“Identifying the vulnerabilities in an environment is just one step. Security teams must also be armed with data, such as threat intelligence, to effectively prioritize which vulnerabilities should be remediated first based on the threat they pose to the organization,” Shapiro says. “This enables state and local governments to get ahead of vulnerabilities before they're compromised.”
Vulnerability Scanning Must Be Part of a Bigger Plan
Rita Reynolds, CTO for the National Association of Counties, classifies vulnerability scanning into two categories: external (those applications like websites that are exposed to public view and access) and internal (applications and systems accessible only from the city, county or state’s network). For external vulnerability scans, she says, there are a number of free services available to state and local governments.
“First, every state and county should be a member of the Multi-State Information Sharing and Analysis Center. They provide regular, sometimes daily, alerts on new vulnerabilities to various applications, such as Microsoft SharePoint, Adobe and Oracle. These alerts provide a proactive way for agencies to review their external and internal systems and applications to ensure that they are current with patching,” Reynolds says.
“In terms of external, a county can sign up for the external scans that the Department of Homeland Security provides. These can be done as often as weekly, and identify for a state or county if any of their externally facing applications are susceptible to any known vulnerabilities,” she says.
While self-scanning tools are helpful for identifying vulnerabilities, they should be augmented with other tools and actions, such as penetration testing.
“It is important to understand the difference in vulnerability scans and a penetration test. I really like this simple explanation: At the most basic level, vulnerability scanning aims to identify any systems that are subject to known vulnerabilities, while a penetration test aims to identify weaknesses in specific system configurations and organizational processes and practices that can be exploited to compromise security,” Reynolds says.