Vulnerability scanning or fumbling in the dark?

On more than a few occasions I have had the responsibility for conducting vulnerability scans in the enterprise as a part of my job. When I was new in the industry I would jump at the chance to run scans. I still remember fawning over my first copy of Ballista.

One item that I learned early on was the need for privileged access to systems for my scanners so that I could get a more complete picture of the disposition of the systems that I was scanning. This inevitably led to running street battles with the Active Directory team or the UNIX admins who had no interest in having their systems violated.

Don’t even get me started on the database administrators…sigh.

This battle for access eventually bore fruit as they were keen to make me stop sitting on their desk. I would usually sit there until I got my way.

Rather effective tactic by the way.

Without these credentials I would not be able to get a clear view of the security posture of the systems in the enterprise network.

This lack of clarity brings to mind a quote from one of my favourite movies, The Hunt For Red October.

Captain Davenport: They’re pinging away with their active sonar like they’re looking for something, but nobody’s listening. 

 

Jack Ryan: What do you mean? 

 

Captain Davenport: Well, they’re moving at almost forty knots. At that speed, they could run right over my daughter’s stereo and not hear it. 

Why does this draw a parallel for me? Well, allow me to share with you a conversation I had with a friend a couple of months ago. He mentioned that his staff were scanning their corporate network which supports roughly 2,500 systems. Of the systems that were being scanned, the tool they used reported that they had approximately 38,000 vulnerabilities in total. 

Being a pessimistic types we both were of a mind this was a low number. He had asked his folks to scan with credentials. When they did this the number of vulnerabilities detected ballooned to roughly 1.5 million. 

Bit of a difference, no?

This might seem trite to point out that scanning without credentials will only provide you some of the picture. However, as I have run into this issues in several organizations and I still hear stories about this I figured I should discuss it.

To be fair this sort of large number of results will freak out any C-Suite type. But, delivering the truth about the organization’s security posture and the associated mitigation plan is far easier to stomach.  Easier than having to explain to them why the company’s intellectual property just waltzed out the front door thanks to a deprecated version of Java on someone’s laptop.

Do you have any vulnerability management or scanning (horror) stories that you’d like to share? Please feel free leave a comment below.

(Image used under CC from Analog Weapon)