Answer yes if your organisation conducts regular automated vulnerability scans of its internal IP infrastructure and remediates the findings. This may include scanning assets in a private local network or using a cloud service provider’s tools to scan for vulnerabilities in your cloud infrastructure.
What is the control?
An internal vulnerability scan involves probing your internal infrastructure and services from within your network (the same vantage point as an attacker inside your network) to find potential vulnerabilities.
While internal systems may be less exposed overall (compared to public-facing systems) owing to not being directly exposed to the internet, they are still exposed to internal threat vectors such as disgruntled employees or an attacker that has breached your perimeter controls.
It’s therefore important to scan internal systems for vulnerabilities on a regular basis as well.
Why should I have it?
Vulnerabilities on the internal network can allow systems to be exploited by inside threats or attackers that have managed to get inside your network perimeter.
Performing checks against internal infrastructure on a regular basis is therefore essential to the early detection of any vulnerabilities that may have been inadvertently introduced or missed. Only by being aware of them can we ensure they are remediated before they can be exploited by an attacker.
Ensure that your network security policy includes the regular scanning of internal systems and that you have a sustainable and repeatable process to do so.
Vulnerability scanning is technically simple to implement and maintain with much of the scanning work and notifications in case of findings easy to automate.
Most internal scanning solutions work by placing scanning engines on your network which can typically be managed by a centralised console. Due to the limitations in visibility brought on by network segmentation, make sure you have a scanning engine on each of your network segments.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.