First, I want to thank my readers for a lot of insightful comments to my previous post: “On Vulnerability Prioritization and Scoring.” It helped me refine some of the key ideas for my current research project.
Here is my second post in the series, covering another current and interesting area in vulnerability management: scanning “new” environments such as virtualization platforms (not just guest systems – where is fun in that?), IaaS assets and other public cloud assets, mobile devices and other mobile computing assets, etc. On top of this, I want to take a peek at what was the previous emerging area in vulnerability assessment: scanning databases and enterprise applications. By the way, when I talk about scanning here, I mean both vulnerability assessment (VA) scans and security configuration assessment (SCA) scans, which some tools perform via one authenticated scan while others require separate scans (or even separate tools).
Looking at some of our research data related to vulnerability management, I couldn’t help but notice that many people still aim their scanners mostly at servers and, occasionally, at desktops. Admittedly, “scan all IP addresses” is also a common strategy (and definitely the one you want to use for asset discovery scans). Thus, for many companies scanning “anything non-PC/non-server/non-platform” still constitutes scanning a “new” scan target type: think wireless devices, printers, even network infrastructure devices (e.g. see “Looking for Vulnerabilities in Overlooked Places: Securing Devices, Networked or Not”) and even industrial control devices.
In any case, scanning VIRTUAL, CLOUD and MOBILE bring a few new challenges. Virtual assets are fluid, virtualization platforms have configuration settings that are dissimilar to OS settings, public cloud environments might ban aggressive network scanning, and mobile scanning it a tricky technical problem in general. I also suspect that many challenges with large scale scanning across those new environments are still mostly unknown (think “unknown unknowns”) to most, but the most advanced enterprises. My current research seeks to unearth some of the challenges in this area and recommend solutions as well.
So, here is my call to action!
To vendors: please point me to (or send me) your resources where you describe your approaches to scanning such new environments for both vulnerabilities and configuration weaknesses (if you are a vendor that already received an email from me on this subject, please act on it )
To tool users: please let me know (through whatever means) what environments you are scanning for vulnerabilities and configuration weaknesses and what are your experiences with scanning such environments with your current tools.
Hopefully the questions below will help focus your thinking:
- What types of IT assets do you scan for vulnerabilities?
- What types of IT assets do you scan for configuration weaknesses?
Specifically, how about …
- Network devices?
- Wireless devices?
- Printers and other non-PC/non-server network devices?
- Industrial control devices?
- Enterprise applications, middleware, etc?
- Mobile computing platforms, mobile applications, and devices?
- Web applications?
- How do you scan virtual systems for vulnerabilities and configuration weaknesses?
- How do you do security configuration assessment for hypervisors? How deep do you look into hypervisor?
- Do you scan any public cloud environments?
- How do you scan public IaaS environment where external (or all) vulnerability scanning may be forbidden?