Notes from The Field. A Scan a Day Keeps the Exploits at Bay

Over 1020 new security vulnerabilities have been published since the start of November. This means that this month alone, there are now over 1020 new ways for an attacker to compromise an environment. This number is growing by the day, and only includes the number of actually identified vulnerabilities. There are, of course, many more that lie dormant or camouflaged, that are yet to be identified.

In fact, according to PandaLabs, ‘230,000 new malware samples are produced every day — and this is predicted to only keep growing’. To cripple a business, it only takes one vulnerability to be successfully exploited by a bad actor. And, with IBM claiming that the average cost of lost business due to a successful attack is $1.42 million, inattentiveness towards security measures should not be taken lightly. 

Following the emergence of a real-life example from one of SecurityHQ’s clients, this blog is intended to highlight and question how long it takes most businesses to identify vulnerabilities on public facing and/or internal assets. And how this time can be shortened, so that threats are identified and addressed before they become a problem. 

Real-Life Example Analysis

In a recent engagement, SecurityHQ reviewed the Vulnerability Management program for a large client based in the Middle East. During the analysis period, it was observed that the vulnerability scans on public facing assets were taking over four weeks to complete. This was due to the staggered nature of the scan schedule.  

Breakdown of the Numbers

1. There were 1890 public IP addresses in this particular scan schedule.
2. The client was launching 1×12-hour scan per week (resuming after 6 days until all 1890 IPs were scanned).
3. The two external vulnerability scanners could only scan on average 410 IPs each scan.
4. The total scanning time required to scan all 1890 IP addresses was 51 hours (4.25 weeks).

Taking the example above, let us assume that you have a schedule scan that runs once a week to scan public facing IPs. This is a huge security risk, and here is a simple illustration to explain why.

Say that ‘Asset A’ is scanned at the very beginning of the scheduled scan, say on the 1^st of November 2020. Say also that there were no new vulnerabilities identified. As a result, this asset is now marked as scanned, and it will be scanned again in four weeks’ time, once the scan cycle for the scheduled scan has completed.

The very next day, on the 2^nd of November, a high severity vulnerability is published which impacts ‘Asset A’, leaving it vulnerable to compromise. Without specifically scanning ‘Asset A’ before the next scheduled scan, the next time this vulnerability would be detected would be in four weeks’ time, at the start of the next scheduled scan.

Even when regularly scanned, it quickly becomes apparent how vulnerable systems actually still are. And, if left undetected, and thus unpatched, assets are left particularly vulnerable to compromise, and the +1020 new developing threats from this month. 

What is the Risk of Default Credentials?

Default credentials are a specific vulnerability in which pre-set administrative access is configured within the settings of applications, routers, switches, and other appliances. 

Default credentials used by applications and appliances are often published on the internet. This can be a big problem. Say, for instance, your organisation becomes compromised, say on the 1^st of November as presented in the example above. An attacker will typically first scan your network to see where they can move next. The results of the scan will help the attacker to identify information like what ports are open in your network, along with any detected vulnerabilities. If an attacker was auspicious enough to identify applications or appliances with default credentials enabled, it won’t take them long to hunt on the internet for these published credentials. 

This is why it is crucial that companies do not default of password security. Often, the responsible teams can forget to disable default credentials, or they leave them enabled for convenience, which leaves organisations vulnerable to compromise. 

To learn how to maintain password protocols, and to ensure that default credentials will not risk your security, read our list of recommendations and mitigations here.

What Did We Do for Our Client?

In this particular instance, we were able to determine that the existing 51-hour total scan time could easily be achieved in a simple 12×5 scanning window (12 hours, 5 days per week). This enabled our client to greatly benefit on two levels:

1. A 5-day scan cycle meant that all vulnerabilities on all public facing assets will be known, and can be acted on, within a maximum of 5 days, rather than four weeks. 
2. A new 60-hour scan window allows space for growth and for more aggressive scans, that may require more time, to complete. 

What You Should Do

The first thing is to understand the size of your scan and how long it is currently taking your team to complete a full scan cycle. You can start with public facing assets first, as these can be considered most at risk of compromise.

Once your scan size is understood, you should review your current scan cycle and look to decrease the time taken to scan all assets.