Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

18) How many external automated vulnerability scans does your organisation conduct each year?

August 30, 2022
Network and Cloud Security
External Vulnerability Scans

Please state the number of automated scans completed every year.

What is the control?

As mentioned in the previous article, it’s important to regularly scan your public-facing infrastructure in order to catch any vulnerabilities.

However, finding the vulnerabilities isn’t enough; they also have to be found in time, which is to say before they can be exploited. It’s therefore equally important to have a high-frequency of scanning.

Why should I have it?

Traditionally, vulnerability scans were often performed on an annual frequency, or quarterly at best.

While a convenient interval, best practices are evolving to dramatically increase what the frequency of scans should be to be more in line with the typical timelines between vulnerabilities being discovered and exploited by attackers.

Vulnerabilities are exploited at scale faster than ever before. This means that vulnerabilities are often exploited within days (or less) of being disclosed. If you check for their presence every year, or every few months, it’s exceedingly likely that it will simply be too late.

If you run public-facing infrastructure that is important to your business, you may want to scan far more frequently. Many organisations are now scanning weekly, daily, and even continuously.

How to implement the control

External (as in of public-facing systems) vulnerability scanning is simple to implement and maintain with much of the scanning work and notifications in case of findings easy to automate. Once you’ve decided on a scanning frequency, make sure to define it in your policies and schedule any work needed to maintain your process accordingly.

You can opt for a scanning provider, an automated service, or use one of dozens of internet-based scanning services. You should however ensure that the checks performed include all publicly known vulnerabilities and are updated with checks for new vulnerabilities as soon as they appear.

There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.