When it comes to security, threats can come from anywhere. That is why we recommend utilizing both external and internal vulnerability scans to understand the breadth of vulnerabilities within and outside your organization. When we reference external, it refers to your internet accessible assets – Firewall, Public Facing webpage, etc. – and internal will be inclusive of all the assets within your organization’s traditional boundary – all computers, servers, Voice-Over-IP phones, scanners, printers, etc.
External vulnerability scans are universally implemented for most merchants and service providers, and it is easy to believe just these scans will satisfy your general security requirements. It should not be assumed, however, that a single scan will be enough to satisfy those requirements. To better understand why an external scan is not a cure-all, you must first understand both internal and external scans’ deliverables and importance.
The External Vulnerability Scan is often easier to implement because the number of external facing assets are often less than the internal assets.
External Vulnerability Scans will identify:
- The greatest immediate threats to your organization
- Software and Firmware updates that are needed for upkeep
- Open Ports and Protocols – entry points into your network
The Internal Vulnerability scan is a bit more complex simply because there are a greater number of internal assets than external, and the risks associated with findings are much more contextual.
Internal scans will identify the same vulnerabilities as the external scan, but can also be enhanced with credentials to log in to the device and run compliance checks or check for vulnerable software. This is great for assets such as workstations where there may be no open ports, but vulnerable software that an attacker can leverage to gain remote code execution and/or remote access.
All this makes it evident that for a comprehensive security program, a strong vulnerability management program is necessary and built on a cohesive scanning program to identify well-known vulnerabilities. This will empower the organization to make informed decisions on risk management.
The important thing to note is that a scan itself is only a starting point. Having a proper operational team that contextualizes findings to your organization and helps you understand what you are seeing. For example, seeing a medium level finding for untrusted certificates may be a big deal for your public facing website, but not as big a risk for your internal switch. In this case, management can provide resources to address the public risk while accepting the internal finding.
If you aren’t sure where to start, Intrinium is here to help!