IT systems and services that are exposed to the Internet are daily targets of attempted cyber-attacks. Technical vulnerabilities become public knowledge on a continuous basis. If a company does not monitor these vulnerabilities, it may unknowingly have publicly known weaknesses within its systems; vulnerabilities that threat actors can easily search for and exploit to gain a foothold within the company’s IT infrastructure.
Adequate security therefore starts with establishing an overview and control of the company’s IT systems and endpoints, and continuously ensuring that vulnerabilities within these are identified and managed before they are exploited by unauthorized persons.
It can be useful to think about the work of maintaining an overview and control over one’s IT systems, software, and endpoints in terms of a “maturity pyramid” for IT security. A vulnerability scan is an automated test that detects, maps, and analyses any vulnerabilities. The scan can also map what information values the company has, such as domains, subdomains, services, or IP addresses. In other words, vulnerability scanning is a basic security measure for all companies – it helps them build a secure foundation for their business.
Further up in the pyramid we find other types of security tests. These are more in-depth than a vulnerability scan and identify other types of vulnerabilities within the company’s security profile. This can be errors in network configuration, inadequate access control, weak security culture among employees, etc.
However, there is little relief in having control over such vulnerabilities if the foundation is not secure. Vulnerability scanning thus forms the basis of the pyramid for two reasons:
- Simple vulnerabilities within IT systems are often a prerequisite for more advanced attacks to take place, and
- security is no better than the weakest link; the benefit of conducting more advanced security tests once a year is therefore limited if new, critical vulnerabilities continuously emerge without being resolved.
According to the Norwegian National Security Authority (NSM), exploitation of publicly known vulnerabilities is one of the most common attack methods of cybercriminals.
A clear example of this is the very critical vulnerability in on-premises Microsoft Exchange servers named ProxyLogon. The vulnerability was published and made public in March 2021, and it is believed that this was already actively being exploited by HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. One of the victims of this campaign was, among others, Stortinget.
After the vulnerability was published, more than 400,000 Exchange servers were found to be exposed on the internet, and all of them needed to be patched. Public "exploit code" was quickly published online and several ransomware actors started to use this exploit to gain access and numerous compromises were reported. Still one month after the vulnerability was published tens of thousands of exchange servers were still not updated and could be easily exploited.
To this day, Defendable still observe vulnerable Exchange servers over one year after the vulnerability was published.
As it often does not take much time from a vulnerability becomes known until cybercriminals systematically attempts to exploit them on a large scale, authorities in Norway and in other countries recommend that companies follow a “Vulnerability management lifecycle framework”.
Such a framework consists of detecting vulnerabilities (typically through vulnerability scanning), comparing the findings with previous findings, prioritizing the vulnerabilities, and assessing which ones need to be resolved, resolving the vulnerabilities, reporting, and finally verifying that the vulnerabilities are indeed resolved (typically by performing an additional vulnerability scan).
Of the scans Defendable conducted in 2021, more than 80% of the companies were assessed as medium risk. This means that they had important errors that should be corrected in order to reduce the risk of exploitation. At the same time, the scans showed that as many as 15% of the companies had critical errors that had to be corrected immediately.
We thus see in practice how vulnerability scanning can contribute to creating a solid foundation on which all other IT security measures are based. It is also important to us that the findings from a vulnerability scan can be conveyed to non-technical and strategic personnel within the company in a clear and effective manner.
Therefore, our vulnerability scans result in both a technical report that provides detailed explanations of each identified vulnerability and instructions on how to resolve it, as well as a high-level report that highlights what we consider to be the company’s overall risk profile and the main conclusions from the vulnerability scan.