What is a vulnerability scan? How does it differ from a Contact us? What are the benefits of a vulnerability scan? How often should you conduct a vulnerability scan? This article answers all these questions!

What is a vulnerability scan?

A vulnerability scan is essentially an automated process to identify potential security risks associated with your external perimeter or internal network. The market offers various vulnerability scanners, both free and paid. However, the key is to either know how to use the vulnerability scanner properly or to ensure your security vendor uses a trusted scanning solution.

At Lucid Security, we provide a vulnerability assessment as a service. Typically, the aim of a vulnerability assessment is to pinpoint potential security risks. These include vulnerable or outdated software versions, potentially risky ports/services exposed to the Internet, and sensitive files, among others. A reputable security vendor always provides a custom report with the vulnerability scan. Too often, security vendors may only provide standard HTML, PDF, or CSV outputs from a vulnerability scanner. This practice is not ideal because one should always manually verify the outputs from a vulnerability scanner. Results can be false positives, merely informational findings with no real security impact, or the criticality may be inadequately categorized. For this reason, Lucid Security always reviews the results of a vulnerability scan and ensures the report clearly articulates the vulnerabilities and remediation measures, and excludes any false positives.

Lastly, a vulnerability assessment stops at the identification phase of a vulnerability. Whereas a penetration test continues to the actual exploitation of a vulnerability.

Why should you have a vulnerability scan?

The reasons for conducting a vulnerability assessment can vary among organizations. A significant driver for many companies is compliance or customer requirements. It is common for organizations to undergo vulnerability assessments for compliance purposes or because they are doing business with a customer who demands a vulnerability scan and its results. Another reason is simply best practice to identify any potential issues on their external perimeter or internal network. Both are valid reasons.

How often should you conduct a vulnerability scan?

Lucid Security generally recommends conducting quarterly vulnerability scans at a minimum. With the ever-changing security landscape, new security vulnerabilities often emerge from security researchers or hackers. Thus, software you installed on a webserver that was just updated might develop a new vulnerability the following month. A vulnerability scan helps you stay ahead of issues before they escalate. It is also common to perform vulnerability scans monthly or bi-annually.

Conclusion

Lucid Security advises companies to perform quarterly vulnerability assessment, especially those with a larger than average attack surface. A reputable security vendor should provide the results of a vulnerability scan. Lucid Security always delivers custom reports that highlight the most relevant information on how to remediate and fix the issues.

How Lucid Security Can Help

Lucid Security employs expert security engineers with decades of combined experience in system administration, network administration, and security engineering. Our team delivers quality reports to ensure your organization remains secure. Contact us today to learn more about our vulnerability scan services.

A common theme amongst clients when conducting penetration tests is a large attack surface. Generally, the biggest risk is amongst externally exposed assets. However, this can be related to internal penetration tests and web application penetration tests. This blog post will briefly examine the biggest risks associated with a large attack surface.

Unknown Assets

It is not uncommon for companies to have unknown assets exposed to their networks. Historically, Lucid Security has encountered client’s who have acquired other companies. As such, they assume control of the assets that the acquired company. This can lead to client’s having exposed assets that they are unaware of, or not inventoried. If this is the case, these assets may go unpatched/updated leading to further security vulnerabilities.

Test Content

It is important for organizations to continue to grow and evolve. Because of that, IT administrators may test out new software and services. While this is a great idea, unfortunately this test content may find itself exposed externally to the Internet. By testing out software and exposing it to the Internet, typical hardening procedures may have not been made.

Excessive Logging Solutions Exposed

Oftentimes for development reasons, logging software is included in dev/staging environments. However, organizations may forget to exclude them from their applications or external perimeter. This can lead to information disclosures such as database information or internal server architecture.

Conclusion

Between an everchanging security climate and regular development procedures, it is possible for organizations to expose more information/assets than necessary. For this reason, Lucid Security recommends conducting annual penetration testing and at a minimum quarterly external vulnerability assessments to stay on top of issues.

How Lucid Security Can Help

Lucid Security often conducts penetration testing and vulnerability assessments. Our services are catered to assist in identifying issues and help provide expert remediation advice. Contact us today to get started!

What is the difference between a vulnerability scan and a penetration test?

A common question many client’s may ask, is what is the difference between a vulnerability scan and a penetration test? This blog post will go into addressing the similarities and differences of each activity.

What is a Vulnerability Scan?

A vulnerability scan is a thorough scan and assessment of a network or application. For the purposes of this article, we will assume the context of a client having an assessment of their external perimeter. That is, any assets that are exposed to the Internet that anyone in the world can access.

A vulnerability scan for a client’s external perimeter will generally include all of the IP addresses or FQDNs (Fully Qualified Domain Names) belonging to that client’s organization. This may include all sorts of assets such as the main marketing website, a VPN portal, a web application, and other various services. Lucid Security generally recommends including all assets during a vulnerability scan, especially critical systems. Once the hosts have been provided, it is now time to run the vulnerability scan. A popular vulnerability scanner is Tenable’s Nessus. The scan runtime will vary based on the amount of hosts included by the client, and the complexity of the services that may be running.

From here, the vulnerability scanner will generate a list of all of the potential vulnerabilities and security risks. This is where Lucid Security’s expertise comes into play. From here, our experienced Security Engineers parse through the results to determine the following:

• Is this a false positive?
• Is this truly a security risk?
• What is the true criticality of this vulnerability?

These are just a few questions Lucid Security considers when reviewing the results. At this point, Lucid Security will now compile a list of all of the vulnerabilities and their associated affected assets, and create a custom-tailored report for the client. This report will include the following:

• Complete list of all vulnerabilities.
• Associated criticality of each finding.
• A detailed remediation description to assist in fixing the issue.
• Supplemental information which is not provided by vulnerability scanners.

The report is then sent to the client securely.

What is a Penetration Test?

A penetration test has elements of a standard vulnerability scan, but takes it a step further. Again, we will be assuming the scenario is testing an organization’s external perimeter by conducting an external penetration test. A penetration test is a comprehensive assessment of an organizations assets, in this case provided again as IP addresses or FQDNs. The penetration test will have the following phases:

1. Scope verification – All assets provided by the client are rigorously verified as belonging to the client. While the scope provided to the client is generally accurate, it is always possible for a typo to be made or IP addresses to change from previous years assessments. This ensures that testing is true to the organizations intended hosts.
2. Open-Source Intelligence (OSINT) – In this phase, the security team scours the Internet for any potentially sensitive information which may aid in the assessment. This could be usernames, sensitive documents/files, etc.
3. Enumeration of assets – Here the security team begins to actively examine what is running on the hosts. The team will be looking for any open ports or services that can potentially be attacked.
4. Vulnerability Identification – One of the most important phases of an external penetration test is actually identifying the vulnerabilities which may exist. This is crucial for the remediation process for a client.
5. Exploitation – At this phase, the security team will attempt to exploit potential vulnerabilities. This is beneficial to demonstrate impact, as well as potentially uncover additional sensitive information which may aid in follow-on attacks.
6. Reporting – The reporting phase consists of gathering all of the identified vulnerabilities and information during the OSINT phase and ensuring that all the findings are accurate and have remediation steps to aid in fixing the issues. During the reporting phase, the reports are peer-reviewed by a Lucid Security engineer to ensure that all findings are addressed, and the remediation steps are accurate.
7. Debrief – The debrief is generally an 30 minute to an hour long call in which the security team will review the findings with the client. In this phase, the client can ask any questions, address any concerns, and get a detailed and comprehensive understanding of the findings.

Conclusion

While a vulnerability scan and a penetration test both attempt to identify vulnerabilities for a client, the biggest takeaway is that a penetration test goes a few steps further. Both are very important and recommended by Lucid Security to be conducted. Generally, a vulnerability scan should be conducted monthly or quarterly to monitor any new threats that may be introduced in the ever-changing security landscape. While a penetration test is generally recommended to be conducted annually or bi-annually.

How Lucid Security Can Help

Lucid Security has decades of hands-on security experience in vulnerability threat assessments and penetration testing. Our expert security engineers are ready to secure your networks and applications. Reach out today to get started!

Whether you aspire to become a security engineer or seek security services for your organization, you’ve undoubtedly heard of Nessus. But what is Nessus? This blog will highlight Nessus and its use by security vendors and internal security personnel within security operations centers (SOCs).

Overview

Tenable® created Nessus, a powerful vulnerability scanner. It enables internal security engineers and security vendors to identify vulnerabilities from both internal and external perspectives. Its high configurability allows for fine-tuning to suit your organization’s specific needs.

How Nessus Helps Security Engineers

Security vendors, contracted by organizations for their expertise and knowledge, need to utilize powerful vulnerability scanners, despite their cost. Nessus often stands as the “gold standard” in vulnerability scanners for several reasons:

• It identifies unsupported or vulnerable software. Identifying unsupported software is crucial, as it indicates that the vendor will no longer release important patches for any existing vulnerabilities. Nessus excels at detecting version numbers that security engineers might overlook. However, skilled security engineers must verify Nessus results to avoid false positives commonly flagged by vulnerability scanners.
• It streamlines assessments. Penetration tests and security assessments, being time-limited engagements, require efficiency. Quick identification of potential vulnerabilities allows security engineers to focus on easy targets.
• It provides a holistic view of your environment. At Lucid Security, we aim for crystal clear results, highlighting all possible risks or security issues. Nessus offers a comprehensive overview of findings, from critical to informational, helping security engineers distinguish genuine concerns from false positives.
• It manages the attack surface. Managing the attack surface is essential in security. Nessus offers an overview of systems, software, and services on an organization’s external perimeter or internal network, helping to identify what is exposed and where mitigation is necessary.

Downsides to Nessus

Despite its power and usefulness, Nessus has downsides:

• Steep learning curve. Nessus can overwhelm and challenge the untrained user. Lucid Security recommends outsourcing vulnerability assessments to an expert security vendor for proper use and to avoid network disruptions.
• False Positives. Nessus may flag items as false positives, necessitating thorough data review and validation of every flagged finding.
• Confusing reports. Nessus reports, available in formats like CSV, HTML, and PDF, can be lengthy and hard to navigate. Lucid Security addresses this by validating findings, customizing descriptions, recommendations, and providing resources to understand risks and remediation steps, and adjusting vulnerability scans to prevent disruptions.
• System downtime or disruptions. As highlighted in a previous blog post, “What Can Go Wrong During a Penetration Test?“, we’ve discussed that Nessus can potentially cause disruptions by crashing systems. For that reason, it’s important to know that going into a scan and tuning scans accordingly.

Summary

By now, you should understand what Nessus is and how it can benefit your organization. While Lucid Security recommends expert outsourcing for vulnerability scanning, a combination approach can also work, allowing your organization to compare and discuss results to optimize your security strategy.

How Lucid Security Can Help

Lucid Security routinely conducts vulnerability assessments and is happy to partner with you to identify gaps or security issues within your network or external perimeter. Reach out today to get started!

Tenable Copyright

^{COPYRIGHT 2023 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, NESSUS, LUMIN, ASSURE, AND
THE TENABLE LOGO ARE REGISTERED TRADEMARKS OF TENABLE, INC. OR ITS AFFILIATES. ALL
OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.}

Asking “What can go wrong during a penetration test?” before initiating an assessment is both wise and prudent. This blog post outlines the risks associated with penetration testing and strategies to mitigate these risks.

Downtime or Disruptions

One of the top concerns client’s have about what can go wrong during a penetration test is downtime or disruptions, fearing significant revenue loss. However, a competent security vendor will carefully conduct tests to avoid such outcomes. They will avoid exploiting vulnerabilities that could trigger denial-of-service conditions. Lucid Security advises clients to highlight particularly sensitive systems during the pre-engagement kickoff call to prevent downtime.

Missing Findings

Missing findings represent another potential issue during penetration tests. A good security vendor aims to uncover every vulnerability. However, the pursuit of quick wins at the expense of thorough examination is a hallmark of inferior vendors. Lucid Security commits to comprehensive testing to identify all possible vulnerabilities, acknowledging the variability of results due to human factors. Annual penetration tests and rotating engineers ensure fresh perspectives and comprehensive coverage.

Generate Alerts

Penetration tests often generate numerous alerts, potentially overwhelming IT teams. While generating alerts is generally positive, it’s important for tests to be noticeable to IT and security operations centers (SOCs). Security engineers might use tools like Nessus, Nikto, and BurpSuite, generating alerts. The testing vendor should provide a list of their IP addresses to help adjust alert settings accordingly.

Account Lockouts

Account lockouts are a risk during penetration testing, especially during password attack simulations. Lucid Security employs methods to avoid account lockouts, but discussing unique account lockout policies with the engineers during the planning phase is crucial for making necessary adjustments.

Summary

Several factors can complicate a penetration test. Effective communication between the security vendor and the client organization beforehand can address concerns and preempt potential issues. Lucid Security prioritizes preventing problems during penetration tests by gathering extensive pre-test information.

How Lucid Security Can Help

Lucid Security is ready to assist with your next penetration test, addressing any concerns to ensure a smooth process. Contact us today for collaboration.