In a previous discussion, We explained some aspec大司廠報ts of vulnerability scanning. In this sessi說計對樹on, We would like to 懂說校學briefly discuss some basic knowledge abo子男外開ut vulnerability scanning in the context of s看城明空ecurity operations.
Vulnerability scanning is a co紅兵物公mmon method used in information 小紙站愛security to assess risks. I計跳低嗎t is similar to a doctor usin綠問火內g an X-ray to examine a patient's body for any 如校信的issues. Security professionals ofte多坐嗎生n use vulnerability scanning to assess whether t費是拿朋arget systems have vulnerabilities an花來輛靜d make decisions on the next steps for 外音學拍security protection.
The principle behind vuln山遠慢在erability scanning involves sending spec費醫綠場ific requests to remote services an哥事微老d determining the existen民話中錢ce of specific vulnerabilities哥錢車藍 based on the behavior or version information re會著放匠turned by these services.
Impact of vulnerabil很媽司器ity scanning
1.1 Network impact: 跳通愛線The frequency and quantity of network packet req拿長窗我uests can have an impact on 知年光區the network and applicat子愛日兵ions. High request rates城一暗國 may overload switches or rou得間拿照ters, leading to a chain reaction and potent場煙土木ial service interruptions.
1.2 Impact on exception handling: In some 器音短吃cases, the business may not handle special inp見會如做uts correctly, leading to exce刀動道畫ptions or crashes. For example, a se答能公章rvice using a proprietar聽舞刀長y protocol that happens to listen on TCP por麗店頻術t 80 might crash when it receives an HTTP GET 謝為作少request.
1.3 Impact on logs: When scanning public-facin麗鐘玩玩g services, each URL probe can re樂還廠吧sult in a 40x or 50x error log entry. The no快視微志rmal monitoring logic of the business re木器文能lies on the status codes 西公用算in the access logs. If no action is taken, a文照友行 sudden increase in 40x errors would re短民音家quire a response from the busi頻明風花ness's SRE (Site Reliability Engineering南車雜做) and RD (Research and Development) teams. If th民行討相ey discover that it was triggered by a s兒還答山ecurity engineer and it also caused the哥村草年 impacts mentioned in 1.1妹近工書 and 1.2, the responsibility will lie with the se員西了會curity engineer.
Issues that arise
For security engineers, not conducting媽公話聽 vulnerability scanning may mean being u友是體雜nable to perform their work, identify comp大南飛月any risks, or carry out governance tas黑中林門ks. For business stakeholders, vulne術慢學讀rability scanning introd和子電聽uces the risk of disruptions and unav快草火校ailability of services, wh醫機市雨ich can be a significant concern. Some peers空雪又光 in the industry have faced blame and nega體美到那tive consequences due to these iss林業很朋ues, while others have strai作空店音ned relationships with the business side.
Where the problem lies腦自那煙
Vulnerability scanning represents a new change f高科電你or the business side.家農化城 Issues are inevitable wh錢如又電en introducing such change銀生歌中s, and having no issues would be 西我大鄉unusual. The best practice is to fo兒務也花llow "change management厭快快哥" principles from ITIL (Informatio答鐘資拍n Technology Infrastructure Library).
Change plan: Define the scanning time, I自明用離P/URL/port range, query pe國文喝筆r second (QPS), and tes習年火湖t case selection (including DoS test化匠車現 cases, asset selection for Delet算愛費資e/Update operations, and selection of POST h服算師討idden interfaces).
Change risk assessment: Evalua術訊工線te the impact on network traffic, router c哥就司長apacity, business QPS, and the extreme risk of bu如好子窗siness/network failure.
Change notification: Ensure that the business m站場校師anagers, RD, SRE, DBA,物錢生子 QA, and even network maintenance teams 遠海人朋are aware of the key information mentioned abo票低光得ve and have authorized the sc錯明分村anning (mandatory no劇厭年大tification throughout the c高又技得ompany at the very least).
Rollback plan: Prepare a quick r又很微友esponse plan to stop scanning and restore人笑知話 business operations if problems occur (some a大科員不ctions may require the cooperation of key stak問志讀愛eholders informed during the change 也通術女notification).
Change observation: Pay attention to service erro年購到爸rs and assess business門鄉能術 continuity during the s木工裡木canning process, enabling pro還線要湖mpt responses to any issues.
Change summary: Identify areas 唱什綠這for improvement based on the execution of sca得間外房nning and make adjustments in s分資國唱ubsequent work.
Strictly speaking, if se花費少人curity professionals initiate scanning看紅好為 without following these met那文上長hods and conduct an aggre黑綠藍秒ssive scan right away, it is in視船物就deed a lack of professionalism on th校們國會eir part. It is not fair to blame the busi飛輛道快ness side for not understanding or樹術音海 supporting these actions.
Recommendations: Aggressive scanning fo服高麗山r the public network, cautious a得國小站pproach for the internal network
When classifying based o錢鐘風歌n the network:
Internet-facing public services: These mus低請又兵t undergo security ch民農城師ecks because if we don't scan them, malicio理懂山區us actors will continuously target them. Inst謝喝路醫ead of being caught off guard and compr舞影算國omised, it is better to have a plann看玩金音ed approach and gradually adapt to being scan服畫海樂ned.
Under the premise of adhering西計好鐵 to change management p農著有些rinciples, which may make the 家照說我deployment process somewhat 問街村民cumbersome and painful, the business side 影書日請may need one month to modif分費明白y monitoring logic (ignoring erroneous reques又分學門ts triggered by the scanner) and make adjustment這風都林s to handle exceptions triggered by certain長鄉理現 scans. In some cases, for unmaintained services鄉數地裡 that cannot be modified after scann著對雜那ing, whitelisting may be n地通說紙ecessary. These adjustments r近路銀數equire collaboration and co弟道服聽ordination. Once the adjus拍費時紅tment phase is complete and the security答購些腦 team can conduct re內窗船錢gular and continuous scanning, the aforement玩很間算ioned issues will no l公腦服問onger be a problem.
Internet-facing high-risk services:月舞北站 Only protocol identification慢藍書雨 is necessary, without perf內事風討orming vulnerability sc遠對自兒anning. Having open ports for high-risk s科機門北ervices is not recommend現南鄉女ed, and it is better to directly shut down such s作友了信ervices. Scanning for vulnerabilities would 慢現人花only waste resources.
Internet-facing private proto了樹亮哥cols: Most scanners do not supp弟作兵計ort vulnerability scanning for these pr歌請去刀otocols, so they should be excl花愛船又uded from the scannin上道議務g process. However, this may c購劇內離reate blind spots, which will not be further d請討得上iscussed here.
Scanning internal services is 不謝購是much more complex than the aforeme我關水習ntioned scenarios. On one hand, the prob雪土錢飛ability of external attack呢可到車ers scanning internal services is relati鄉水錢來vely low. On the other hand慢上費現, the reliance on traditional priv媽中電制ileges within the internal network leads t飛訊還理o a higher number of vul音風自技nerabilities compared to the public ne視紙光匠twork. Moreover, internal systems are less resil計爸票術ient to scanning, and th就還行有e likelihood of issues arising is high.
If only port scanning is performed and it is 廠友黑業confirmed that the swit人山這如ches and routers can handle i東水高麗t (note: there have been cases w司好暗道here older network devices crashed開厭玩風 even with a small increase in scann樂妹道銀ing requests), it can爸金開跳 be relatively acceptable火通嗎呢.
However, protocol identification may ca話為就兒use certain vulnerable services to cras近購和說h, and brute-force a新現女物ttacks could result in account lockouts (whi讀船樂媽ch can lead to subsequent incidents). The risk木吃術水s associated with vulnerab話明山化ility scanning are ev鄉們唱短en greater.
Therefore, in many cases, it is not encouraged就報道唱 to rely solely on network scanning for as要風著費sessing internal network risks. I學這師動f agents can collect informati場城這要on such as version numbers, configurations,村他科草 and account-related dat什鐘聽高a, it is possible to gather risk-relate玩可司答d data without solely rely場黃老議ing on network scanning as the醫聽們公 only means.
However, does this mean that ther鐘店計為e are many risks within the internal 得火要北network?
The harsh reality is yes, this船風身影 is the situation in the majority o為要雪輛f enterprises today, which is indeed very 女靜森我alarming, isn't it? If certain船哥舊就 vulnerabilities are critical (e.g., MS17-0短請火書10) and specifically targ藍嗎雜身et certain port services, the internal network 學吃地樂can still follow the standard process menti哥好務空oned above for scann師空報話ing. However, conducting full-scale v下鐵作舞ulnerability scanning across the entire internal但民書慢 network becomes challenging.
These are some operational insights用中場窗 regarding vulnerability scanning. Feel f長個就離ree to refer to them. If you want t還費腦路o learn more, you are wel輛鐘快區come to follow our website拍吧關唱 or contact Shanghai InsightS妹讀區子ec Network Technology Co., Ltd. to obta老視長微in further knowledge.