Vulnerability Scans - How Often Should You Be Running Them?
For many organisations, annual or twice a year penetration tests are the norm, usually performed to maintain compliance with regulation or when significant changes are made around IT assets and infrastructure.
Unfortunately for companies, penetration testing - commonly referred to as ‘pentests’ – only provides a point of time view into vulnerabilities. The gap between tests means that organisations can be at risk for months without knowing.
As a result, there is an increasing trend towards a quarterly, monthly, weekly and even daily vulnerability audit schedules.
“A combination of monthly external and quarterly internal assessments is a good starting point, explains Patrick Butler, CEO at Loop Secure. “A proper cyber risk assessment will then help you fine tune your vulnerability management program to determine the right frequency for your organisation”.
Why the increase? The number of vulnerabilities have hit a record high. In 2017, the number of vulnerabilities obliterated records set in previous years. According to Common Vulnerabilities and Exposures (CVE) details, who publish publicly known cybersecurity vulnerabilities, more than 14,600 vulnerabilities were reported in 2017, compared to 6447 in 2016. The number of vulnerabilities reported is set to be even higher in 2018.
While not every vulnerability applies to every network, the numbers still highlight how a daily audit can dramatically reduce your chances of being hacked.
The primary benefit of regular audits is clear – your risk window for a cyber-attack taking advantage of vulnerable systems is never more than 31 days if on a monthly schedule. Compare that to a typical annual penetration test program, and the window is 365 days - a ten-fold increase.
“Unfortunately for corporates, hacking has become somewhat of a sport,” explains Butler. “Forums around the world share information about the latest vulnerabilities and there are thousands of wannabe hackers who can test their skills on your network, just to see if they can get lucky. All that’s needed is an IP address in order to start testing their skills.”
Given the level of risk, penetration testing – conducted every twelve months – doesn’t cut it.
As Butler says: “Hackers are working constantly to exploit your network’s vulnerabilities, and a twelve-month window is more than enough time to do so.”
While regular audits significantly reduce your risk of being hacked, it also makes life easier for your IT teams, and less disruptive for users.
Addressing twelve months’ worth of potential vulnerabilities is long and complex process, compared to the simplicity of a more regular vulnerability check, which can stop problems before they become significant and affect network performance.
It can also save your organisation money, because most of the vulnerabilities you find may not need the expertise of a security specialist. For example, Loop Secure provides its clients with remediation tips so anybody in the IT team can manage the fix themselves.
Further to this, organisations will find they get significantly more value from their Penetration Test, as the testers will have to dig a lot deeper to discover vulnerable systems – as ‘low hanging fruit’ will be gone.
“Regular vulnerability audits are no longer a nice-to-have,” Butler says. “If you’re serious about the security of your organisation, talk to Loop Secure about reducing your window of risk, and how to keep on top of vulnerabilities as they happen.”
Read our Technical Executive's Guide to Penetration Testing for more information: