Security Scanning

One of the most important parts of maintaining system and network security is regular regimen of monitoring, probing, updates, and upkeep, punctuated by regular security audits to confirm that the basis for your security regimen is sound and sufficiently complete to keep things safe and secure. When it comes to probing or testing for potential weaknesses or vulnerabilities, there's nothing better than a good security scan to expose your security posture as seen from outside (or inside) your network boundaries. The right tool for this job is a security scanning application of some kind, which you can access on the Web, install on one or more of your computers, or sign up for as a managed subscription service.

Literally hundreds of security scanning tools and services are available today: freeware, shareware, and commercial scanning software abounds, as do varying levels of free and for-a-fee scanning tools or services available through the Internet. In fact, it's useful to distinguish among the following types of offerings for performing security scans:

• Network scanning tools or software: install these on a machine, then point them at a system or network you wish to scan. They work through their battery of probes and tests, then report on the results they produce. These tools generally involve some work to install, learn, and use, but many offer remote access and reporting features for incorporation into element or enterprise level management systems, or for automated, periodic use. Most also are easy to update, so that you can be sure you're checking for the latest vulnerabilities during each scan.
  The Open Source scanning tool of choice is Nessus ( www.nessus.org ), but GFI Software's LANGuard Network Security Scanner (www.gfi.com/lannetscan/) is available in both free and commercial forms and does a nice job, too. On the commercial side, Internet Security Systems, Symantec, and McAfee all offer highly-regarded security management suites that include scanning software in their mix of tool (ISS even offers standalone security scanner products).
  Many administrators install this kind of software on a laptop, to make it nice and portable, easy to use for external (outside the firewall) or internal (on an internal network segment) scanning jobs.
• Web-based network scanning tools or services also abound. Free sites like Steve Gibson's ShieldsUp service ( https://grc.com/x/ne.dll?bh0bkyd2 ) do a nice job of performing simple port scans, and Security Space ( www.securityspace.com ) offers more comprehensive low- and no-cost security scans to visitors at its site, along with more expensive and inclusive subscription services by the instance or over time. Likewise, most managed security providers include regular security scans among the services they offer to their clients (many of which, like SecuritySpace's scans, are based on Nessus) as part of ongoing security maintenance.

The benefits of using security scanning software is that you can scan whenever and as often as you like, on as many networks or systems as you must. But working with such tools does imply a learning curve-which can sometimes be steep and therefore time-consuming, if not expensive outright-and involves setting up a computer to act as a scanning station on demand.

The benefits of using a security scanning service are that it requires little or no knowledge or skill to set up and run, and you'll often get great advice on remediation along with reports on those results. Of course, most commercial services run on a pay-as-you basis, so costs increase as the frequency, complexity, and post-scan support and remediation services go up as well. But for small office, home office, or home users, such services can represent an entirely affordable compromise between regular security maintenance and staff costs for security expertise in-house.

The key to using security scans to maintain security lies in proper application. Most security scans are used first to audit systems for security problems, then to verify that such problems have been fixed. Afterwards, such tools may then be used on a regular schedule to stay ahead of new threats or exposures. They should also be occasionally used for surprise inspections to help verify strong security, and as soon as they're updated for new exploits, threats, or vulnerabilities to check to see if your networks or systems are subject to such exposure. And of course, whenever positive signs of vulnerability occur, it's essential to remediate, then to check again to be sure remediation is working properly.

For smaller organizations, security scanning services emphasize convenience and little or no intrusiveness over cost. That's because such services typically require no special-purpose local software-most run through your Web browser, linked to a page at the service provider's site. They use large, regularly updated databases of vulnerability scans (for example, SecuritySpace currently includes nearly 1,800 tests in its vulnerability scan database), and accompany result reports with risk assessments and detailed test reports. These reports usually include remediation advice, but the less you pay for the service, the less helpful such advice tends to be.

For those willing to invest the time and effort necessary to run such tools or services, and to act on their report, the results will normally produce a higher level of security for users and organizations alike. Thus, security scans of some kind should be part of any well-designed security maintenance regimen.

Written by Ed Tittel | email: etittel@lanw.com