Why aren’t you vulnerability scanning more often?

I’ve always been curious about companies that scan their enterprises for vulnerabilities once per quarter or even once per year. Why is this the case exactly? I’ve worked in these environments and I’ve heard all manner of excuses as to why this was an issue. “We can’t have any outages because it is a critical roll out for $project and we can’t have any downtime.” That one was always one of my favorites.

No matter what the rationale was there never failed to be an issue that would slow things down. There were several organizations that I worked in over the years that would severely constrain scanning activities to the point of abject frustration on my part. The worst of the lot only allowed for scanning once per year and only on select systems. The point of this was completely lost on me until I realized that most of the aforementioned systems would be offline for “maintenance” during the scanning windows. I finally got to the point where I would scan at off hours and figured that I would fall on my sword if I was dragged on the carpet for the inquisition. Could have been a career limiting move in many ways but, lucky for me in panned out.

Why would you want to scan more than once a year? Yes, I know, I know. You can stop laughing. Seriously though, have you ever encountered such nonsense? As an example, patches for Microsoft related products would come out at least 12 times per year. If you are only scanning your environment once per year the delta increases to an unpleasant level. You want to reduce your risk and vulnerability scanning can help move you closer to that end.

The increased scanning frequency will add some load to your network but, in this day and age, the load shouldn’t be such that you notice any appreciable degradation in service. The side effect being, that as you ramp up the frequency of scans, you will most likely find more issues that need to be remediated. The “show me the money” moment can be found in successfully reducing the number of vulnerabilities on your mitigations list.

Is there heavy lifting involved in the remediation aspect? Well, if you have been relegated to an annual environment scan you can be damn sure that you will have a lot of work to do. Approach this in a manner of tackling the top 10 on your list first and work your way down. This will also go a long way to demonstrating to auditors that you have a plan to address the problems on your network.

Is vulnerability scanning a silver bullet? Absolutely not. Sorry, did I stutter? It will find the low hanging fruit that really should not be there in the first place. The more of these issues that you can tackle, the better off your organization will be in the long run. Lather, rinse, repeat until your network is squeaky clean…or at least, smelling better.