Vulnerabilities are everywhere. Whether due to sloppy passwords, misconfigurations, unpatched systems, or zero-day attacks, organizations need to be on the alert for any potential issues. Vulnerability scanning is an essential part of the cybersecurity arsenal in finding such vulnerabilities.
A vulnerability is defined by the International Organization for Standardization (ISO) 27002, as “a weakness of an asset or group of assets that can be exploited by one or more threats.” Threats are defined as whatever can exploit a vulnerability, and damage can be caused by the open vulnerability being exploited by a threat. Here are some of the top trends in the vulnerability scanning market:
1. Government Warning
The importance of vulnerability scanning was underscored in a recent directive by the Cybersecurity and Infrastructure Security Agency (CISA) of the FBI.
The directive made it mandatory for government entities to do continuous vulnerability scanning on all network appliances. They have been given until April 3, 2023 to comply.
They are required to list any vulnerabilities found across all assets running on their systems. This has to be done every 14 days, and scanning should be done regularly within these 14-day windows. Further, all vulnerability detection signatures used by these agencies are to be updated at an interval no greater than 24 hours from the last vendor-released signature update. Mobile devices are included in these requirements.
Clearly, government systems have suffered badly due to undetected and un-remediated vulnerabilities. Enterprises and SMBs are no different. They would do well to heed these CISA directives.
2. Constant Alertness
Robert Anderson Jr., chairman and CEO, Cyber Defense Labs, believes vulnerability scanning has not been thorough enough in the enterprise.
While vulnerability management is supposed to be constantly looking at and protecting all endpoints, workstations, laptops, servers, virtual machines (VMs), web servers, and databases, Anderson said that most companies only cover what they deem is important.
“Companies need to constantly be looking for vulnerabilities that may be used as an attack path by an adversary,” Anderson said.
“Continual scanning is now being utilized by most large companies that we partner with. The need for unified and constant visibility of your distributed IT network irrespective of endpoints is imperative in today’s cyberthreat environment.”
3. Golden Oldies
Zero-day attacks get the lion’s share of attention — and understandably. After all, they represent newly discovered vulnerabilities and exploits for which there is currently no remedy, although their publication means remedies will be issued rapidly.
Yet, well-known and sometimes quite old vulnerabilities continue to exist in many enterprises.
For example, Log4J has been well known for more than a year. Yet, cybercriminals continue to exploit it.
“As the Log4j vulnerability shows, discovering, mitigating, and fixing vulnerabilities as soon as possible is more important than ever to good cyber hygiene,” said Michelle Abraham, an analyst at IDC.
“Leaving vulnerabilities without action exposes organizations to endless risk, since vulnerabilities may leave the news but not the minds of attackers.”
Unpatched vulnerabilities even older than Log4j are lurking inside many companies. Some as far back as a decade old. When cybercriminals find these, they know they have an easy route into the enterprise. Vulnerability scanners need to be employed to find these, and organizations need to ensure they are patched immediately.
See more: Cybersecurity Agencies Reveal the Top Exploited Vulnerabilities
4. Update Your Vulnerability Databases
Part of the solution to not missing aging vulnerabilities is to ensure vulnerability scanners use a database of known issues to look for vulnerabilities, misconfigurations, or code flaws that pose potential cybersecurity risks.
Further, that database needs to be complete and regularly updated.
Popular scanners are missing at least 3.5% of all ransomware vulnerabilities, according to the Ivanti ”Ransomware Report.” As well as keeping databases and vulnerability signatures up to date, some recommend using multiple scanners.
5. Include Penetration Testing
Vulnerability scanning is essentially a process of checking out where weaknesses may lie by assessing internal systems, applications, misconfigurations, and cloud dependencies.
Penetration testing takes a different approach. It is generally accomplished by ethical hackers who try to penetrate the network, find holes, and exploit known or unknown vulnerabilities. More organizations are supporting vulnerability scanning with pen testing to ensure they find everything.
For those that lack internal resources, vulnerability scanning and penetration testing are now available as a service. This is a growing trend. Penetration testing-as-a-service (PTaaS) platforms have emerged that remove the burden of testing from IT or the need to hire outside hackers.
See more: 5 Top Penetration Testing Trends
6. Personal Information
Personally identifiable information (PII) is very much in the spotlight. Cybercriminals seek it, as it provides them with data they can sell, compromise, or use to hack into systems and scam people and organizations.
Similarly, organizations are constantly looking for PII, so they can ensure it is protected and they don’t fall afoul of privacy and compliance mandates. Accordingly, vulnerability scanners are emerging that look for PII as well as vulnerabilities.
“As the awareness of better privacy for customers’ sensitive data is rising, so does the number of solutions that help gain insights around privacy posture using scanning tools,” said Gil Dabah, co-founder and CEO at Piiano.
“Vulnerabilities recognized by scanning tools are including additional findings that are privacy related.”
Imagine a company with hundreds or thousands of developers that decide to harden the security of the PII they are collecting to decrease the risk of data exfiltration due to a breach. Such a task, when done manually, can take weeks.
With code scanning tools, a team can get a list of all PII the organization collects, verify that the data you collect is aligned with your privacy policy, and better protect high-risk PII, such as SSNs. New tools help find PII, but they also give you insights regarding where you collect each PII, what processes you are doing with the data, and where you store it.
7. SBOMs
A software bill of materials or SBOM is an inventory of ingredients that make up different software components. They are being used to be able to drill down into exactly where vulnerabilities may lurk.
Take the recent Log4j vulnerability. As it related to Java libraries, few realized how pervasive those libraries were. Organizations thought they have patched or addressed all needed areas to combat Log4J. Yet, there were more hiding in all sorts of nooks and crannies of the enterprise. SBOMs make it easier to know what contains which software elements, so it is easier to address vulnerabilities.
“The move toward automated, formally structured, machine-readable SBOMs is clear,” said Alex Rybak, senior director of product management, Revenera.
“More and more software companies expect SBOMs to include all third-party, including open-source and commercial, software that’s used in their applications. An SBOM that provides a single, actionable view is essential, so that when a vulnerability is detected, the supplier can quickly assess the impact to their portfolio of applications and expedite remediation plans.”
8. Supply Chain Attacks
Major cyberattacks have made it clear that vulnerabilities within the software supply chain were a vital element of security scans.
Cyberattackers gained a foothold by exploiting an outdated build server with a known vulnerability. Since those well-publicized breaches, further examples include RCE vulnerability (CVE 2021-22205) and dozens of vulnerable Jenkins plugins. They demonstrate the importance of securing development tools and their ecosystems.
“Organizations have expanded their vulnerability scanning efforts from COTS, cloud, and source code to include the software delivery pipeline itself,” said Andrew Fife, VP of marketing, Cycode.
“While much of the hype around software supply chain attacks has been directed at traditional software composition analysis, which focuses on the delivered application, the reality is that the majority of attacks start elsewhere.”
9. Scanning for BEC And BAC
Business application compromise (BAC) is where cyberattackers target cloud access identity providers, like OKTA or OneLogin, that are often used by business applications to provide a single sign-on (SSO) experience to users.
Attackers compromise the user OKTA login via phishing and overcome multi-factor authentication (MFA) by brute force, pushing notifications in the hope that the user accidentally approves one of them.
Business email compromise (BEC) most often happens in Microsoft 365. Criminals send an email message that appears to come from a known source making a legitimate request. With original deployments of Office 365 tenants, Microsoft by default enables IMAP and POP3 in O365 Exchange as well as BasicAuthentication. IMAP and POP3 don’t support MFA, so even if you have MFA enabled, attackers can still access these mailboxes.
“Disable legacy protocols, like IMAP and POP3, immediately, especially if you’ve gone through the process to enable MFA,” said A.N. Ananth, president and chief strategy officer, Netsurion.
“Once you turn those off, strongly consider disabling BasicAuthentication to prevent any pre-auth headaches on your Office 365 tenants.”
To address BAC, Ananth said to be alert for multiple identity provider sessions from the same user with multiple, non-mobile operating systems. Alert for potential brute force push requests. As a result of this type of threat, scanners are now checking for such vulnerabilities.
See more: Simple Guide to Vulnerability Scanning Best Practices
10. Automated Remediation
The norm has long been that multiple tools are needed to bridge the scanning and remediation gap. Scanners find out what might be wrong. Other tools, and plenty of manual effort, are required to address the problems and safeguard the enterprise.
But that is changing according to Ashley Leonard, CEO of Syxsense. His company, for example, offers a single agent that automates the management of endpoints and reduces the attack surface.
“We are seeing solutions hitting the market that combine the necessary functionality to remediate threats that are blended: threats that require the application of a patch as well as configuration changes,” Leonard said.
“This ties in with threat prioritization whereby both patch and security threats are given different levels of risk based on the specifics of their environments. And finally, we are seeing software designed to bring about intelligent endpoints that can automatically maintain an endpoint in a desired state.”
See more: 22 Best Vulnerability Scanner Tools