Do You Know Your Businesses Weaknesses?
See how vulnerability assessments could help your business.
Vulnerability assessments are often confused with penetration testing, but it’s important for businesses to do both. Vulnerability assessments help a business identify threats in their computing infrastructure. These assessments also mitigate processes for reducing or eliminating any weaknesses discovered.
Performing vulnerability assessments is a proactive step to securing systems before there is an incident. A more secure system allows a business to save money and run more efficiently. In a world where more businesses are online than ever before, it’s not a matter of if a business might be targeted by hackers, but when. Taking a proactive approach helps thwart the inevitable attempts.
Elements of an Assessment
Some vulnerability assessments are simple scans that check for poor passwords, outdated apps, misconfigurations and other common vulnerabilities. These are more automated and catch numerous potential issues.
However, more in-depth vulnerability assessments look at all elements of your IT infrastructure to determine risks and which risks could bring your business to a grinding halt. These assessments include:
Look at all business processes and which are most critical to the business
Look for vulnerabilities in every app required by those processes
Check every possible data source, including mobile devices and cloud services (mainly check for encryption and correct security settings)
Look at all hardware throughout a business’s IT infrastructure, such as servers (including virtual)
Identify all security controls and processes currently in place and check for vulnerabilities
It’s only by doing vulnerability assessments that businesses are able to consistently reduce their security risks. With many layers in a business’s IT infrastructure, it’s vital to uncover weaknesses at each level and work to reduce or eliminate the risk. From simple app updates to re-configuring security protocols in a virtual server, businesses have numerous ways to reduce their risks.
Does your business perform vulnerability assessments? If not, contact ISOutsource today and we’ll be happy to help you uncover any vulnerabilities and suggest ways to reduce your risks.
Vulnerability Scan FAQs
What is the impact of the scan?
The impact is almost always negligible. We do not run scans that are known to be intrusive unless specifically requested to do so. The only time we have seen a scan impact a system was due to grossly out of date software (WordPress). These same scans are being conducted regularly by researchers and attackers in the wild during all hours of the day. If those scans are not impacting your systems, it’s highly likely ours won’t either.
What does the scan tell me?
The scan takes a black box (zero knowledge) approach. It attempts to fingerprint the system and determine what vulnerabilities exist in the endpoint being scanned. An experienced security professional reviews the results, often augmenting the scan with additional reconnaissance to provide a risk rating, likelihood, and recommendation for remediation.
How often should I run a scan?
Much of this comes down to your network architecture and the information systems you are trying to protect. Many regulations also have requirements for how often and what kind of scans are conducted.
Will this scan help with my PCI (or other regulation) compliance?
Yes. Due to the low cost of our scanning solution, organizations requiring scans for compliance often use our toolset to identify vulnerabilities and assess their remediation efforts. Because most scanning tools charge on a per-address, per-scan model, the costs can add up rather quickly. Once our scanner shows a clean bill of health, an organization can run their final scans with an approved scanner and avoid the repeated costs.
I have an IPS/IDS that will block your scans. How can I make sure those systems are secure?
In this case, we recommend scanning the endpoint with the IPS/IDS enabled. This will provide a glimpse into the effectiveness of your defenses. We then request the scanner’s addresses be whitelisted to get an accurate picture of what vulnerabilities exist.
What addresses should I whitelist?
DNS Name: scanner.isoutsource.com
Can you scan systems on AWS, Azure, GoDaddy, Bluehost, wpengine, etc.?
Scanning systems other than your own often requires advanced notification and scheduling with the provider. These systems typically host multiple systems in shared environments meaning your scan could impact their other customers.
AWS Permission Request Form: https://aws.amazon.com/security/penetration-testing/
Let's chat vulnerability assessments
Fill out the form, chat with us, or give us a call at (800) 240-2821.