Answer yes if your organisation conducts regular external vulnerability scans of its public IP infrastructure and remediates the findings.
What is the control?
An external vulnerability scan involves probing your public or internet-facing infrastructure and services (such as your web site, portals, customer interfaces, etc.) from outside (the same vantage point as an outside attacker) to find potential vulnerabilities.
Why should I have it?
As mentioned previously, your internet-facing infrastructure is your most exposed as it is the only part of your infrastructure that can be connected to directly by outside attackers and therefore the first point of attack.
Being public-facing typically makes it an interesting target, especially in the case of web services, due to the reputational damage of defacing your site, the likely access it has to back-end systems (an e-commerce website being connected to a database full of personal and payment details, for example), or how it could be used to collect the details of other customers (such as an attacker skimming your clients’ payment details after having gained access to your web server).
Performing checks on public-facing infrastructure on a regular basis is therefore essential to the early detection of any vulnerabilities that may have been inadvertently introduced (or missed) in order to mitigate them before they can be exploited by outside attackers.
Ensure that your network security policy includes the regular scanning of public-facing infrastructure and that you have a sustainable and repeatable process to do so.
Vulnerability scanning is technically simple to implement and maintain with much of the scanning work and notifications in case of findings easy to automate.
You can opt for a scanning provider, an automated service, or use one of dozens of internet-based scanning services. You should however ensure that the checks performed include all publicly known vulnerabilities and are updated with checks for new vulnerabilities as soon as they appear.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.