Best practices for vulnerability management really start with the network. By definition, network vulnerability management touches all aspects of your environment, every connected device, operating system, hardware, software, firewalls, and more. An unsecured Wi-Fi router, an IoT device with over permissive access control, or a firewall misconfiguration could be an entry point for an attacker into your system. Network vulnerability scanning and regular patching are essential to make sure the first lines of defense are hardened, reducing the likelihood of a costly data breach.
The scope of network vulnerability management can be overwhelming, however, especially as remote work and cloud computing decentralize what used to be a pretty straightforward network perimeter. Here are some best practices to help you focus your network vulnerability efforts.
Collect data about your environment
In vulnerability management, it is a best practice to keep an asset inventory that notes all of the hardware, software, cloud services, and devices for the organization. The asset inventory is used to map vulnerabilities to the impacted systems for effective prioritization. Similar to the asset inventory, network vulnerability management requires extensive collection of data about the resources used in the system to make sure that everything in the network is included in the scanning process. You will need to provide a range of IP addresses for the software and hardware that needs to be targeted. If not already in your existing asset inventory, you should create an inventory of media used, the anti-virus software used, as well as the firewalls and web application firewalls that are in place. Collecting this information is the first step to determining the scope of your scanning. You have to understand the structure of your network to decide where scanners should be placed, the type of scanner, whether agentless or agent-based and the time frame that scanning will take place.
Conduct both internal and external scans
PCI DSS, the standard for security of storage of credit card information, requires that you perform both internal and external vulnerability scans every quarter. External vulnerability scanning, otherwise known as a perimeter scan, takes the approach of a hacker on the outside looking in. This scan is conducted from outside the network, targeting specific IP addresses, looking at external, internet-facing resources such as firewalls, open ports, and websites. Internal scans, on the other hand, operate from an insider perspective, either a disgruntled employee or an attacker that’s already gained network access, and look for points of exploitation within the system. Conducting both types of scans provides a more complete picture of your network’s vulnerabilities, illustrating how an attacker may escalate access once the system has been initially breached.
Use agent-based scanning to fill the agentless network scanner gaps
Network vulnerability scanning used to be relatively straightforward when everything that you needed to scan was within a defined perimeter. However, with the transition to the cloud and work-from-home, network scanning may require a few different types of scanning tools in order to provide complete visibility. For example, agentless scans can identify and scan anything connected to the network at the time of the scan, which allows you to discover devices you may not have known about and scan things like printers and IoT devices that can’t support an agent.
The downside to agentless network scanning, however, is that the devices must be connected to the network at the time of the scan, which may not be ideal for all endpoints, particularly in a remote work environment. Agent-based scanners, on the other hand, can scan devices regardless of whether or not they are connected to the network, through a host installed on each machine. The downside to this method is that that agent must be installed on everything being scanned, and not everything can support this, particularly cloud assets designed to be lightweight and temporary. Scanning cloud assets in general can be a challenge because of shared responsibility with your cloud service provider. You may not be able to scan everything in your cloud environment and scanning may require working with your CSP.
Pay close attention to common areas of weakness
Misconfigured or outdated firewalls: The firewall is your first line of defense for stopping malicious traffic. With the rise of remote work and the implementation of cloud computing, firewall configurations have become more complex, with more traffic from a variety of sources needing to be vetted. You should be reviewing your rules consistently to ensure they’re up to date and serving a purpose. Deleting old rules and combining overlapping rules can improve performance and efficiency. Similarly, rules should be added or adjusted as changes are made to the network, particularly keeping in mind changes that will need to be made to accommodate cloud access. While enabling access, keep in mind best practices of zero trust and least privilege, as well as maintaining a consistent system for authentication. Remote work also has led to an increase in remote desktop protocol ransomware attacks, so restricting port traffic and whitelisting IP addresses is more important than ever. Finally, don’t forget about outgoing traffic. Monitoring outgoing traffic for data exfiltration and attempts to connect to malicious networks can be an early warning sign of a breach.
Wi-Fi Routers: With work-from-home policies now common, it is important to educate employees about home Wi-Fi router best practices such as changing the default password and network name, updating router firmware, deactivating remote administration, and making sure their router has WPA 2 or WPA 3 encryption. These policies will also apply to any in-office Wi-Fi routers as well.
Man-in-the-Middle Attacks: In a man-in-the-middle attack, the attacker intercepts and decrypts data, usually with the goal of stealing credentials and gaining login access to a system where they can steal data or financial information. MITM attacks can be detected during network monitoring activities using deep packet inspection (DPI) and deep flow inspection (DFI), which provide information such as packet length and size.
DDoS Attacks: Distributed denial of service attacks attempt to overload your network with bad traffic so that legitimate traffic cannot reach your site. Testing for DDoS resiliency should look at your web servers as well as session border controllers (SBCs), unified communication and collaboration (UC&C) systems, and edge routers. Penetration testing may be required to fully gauge resiliency to DDoS attacks.
Network Intrusion: An important aspect of network vulnerability management is detecting and blocking network intrusion attacks such as multi-routing, buffer overflow, secret Common Gateway Interface scripts, and protocol impersonation, worms, and trojan horse malware.
Secure IoT Devices
The IoT, or internet of things, is the ever-expanding network of devices that have the ability to connect to our networks and transmit data. They’re great for making our world more convenient but can pose a security risk if the differences between IoT devices and regular devices are not addressed. Unlike other devices in your network, IoT devices are more likely to have outdated software, lack of encryption, application vulnerabilities, and over permissive access control with poor default settings. They often have the capability to run unnecessary services and lack a trusted execution environment, meaning hackers can install their own software unrelated to the functioning of the device. If a threat actor gains access to an IoT device, they can easily access other endpoints in the network due to the interconnected nature of these devices.
That being said, you don’t need to shy away from IoT devices, as long as security measures are put in place. The first order of business should be finding all of these devices. Lack of visibility into how many IoT devices are in your network can pose a challenge when attempting to implement IoT security policies. IoT devices should be included in your vulnerability management asset inventory with the rest of your network devices. You can offset some of the potential for attackers to use IoT devices as a foothold to the rest of your network by using next-generation firewalls and virtual local area network configurations to implement network segmentation. Many of the policies that you apply across your organization can be extended to the internet of things, such as requirements for password length and complexity and a regular cadence of patching and updating device firmware.
Getting started
Not sure where to start with network vulnerability management? RH-ISAC members have exclusive access to Member Exchange, our community discussion platform where retail and hospitality cybersecurity professionals collaborate and exchange knowledge. Check out discussion posts on topics such as assessing home networks and join groups such as the Vulnerability Management Working Group to participate in discussions and exchange of best practices. Not a member? Learn more about RH-ISAC membership.