June 7, 2018
Interpreting Vulnerability Scan Results – WST
Just about every ISO or administrator has had the (generally) unpleasant experience of getting an Internal Vulnerability Scan performed, and then handed a large report full of things to fix. The process can be daunting, particularly for smaller environments with limited in-house IT resources. There can be hundreds of pages of results…where do you even start?
Getting relevant, actionable results out of an Internal Vulnerability Scan starts with selecting the right product or vendor. The resulting reports should be detailed, but should also contain usable summary information that provides high level information such as the types of issues found, most vulnerable systems, etc. This can make a world of difference. If you must pick through thousands of individual issues just to get an idea of where to begin…you are already off to a bad start.
Addressing each missing patch and issue individually can be daunting and inefficient. Look for “low hanging fruit” first. Do the imaging systems show up at the top of the list with 10x more missing patches than the rest of the systems? If so, start with those. Or, are you looking at a bunch of Java vulnerabilities when your applications don’t need Java anymore? Just remove Java from your environment and be done with it. Removing or just updating an application to the latest version often handles many issues in one step.
With whatever is left, prioritize. In most cases, worry about Critical and High-Risk vulnerabilities first. While lower risk issues can be important, the higher risk ones should be addressed as soon as practical. Get to the rest when time/resources allow. Also, prioritize by type of system. For example, printers/copiers generally pose less risk than workstations/servers and can be much more difficult to remediate, so don’t spend a bunch of time on them while more important systems remain vulnerable.
Lastly, verify as you go. If you push a Microsoft patch out, or make a change via Group Policy, spot check some systems and make sure the changes were applied as expected.
Above all, don’t get discouraged. System and vulnerability patching is one of the most important things you can do to keep your network and data safe. As the saying goes “A journey of a thousand miles begins with a single step.”