Corporate Vulnerability Scanning

Where would you prioritize scanning a organisations network for vulnerabiltiies?

We do a risk model and prioritize areas for pen testing and vulnerability assessments, but I want to here others views on where you prioritize, or essentially "where to start".

Say you have a typical setup of some users remotely accessing the network be it through citrix or whatever, you have some web servers, SQL Servers, Oracle Servers, Firewallls, VPN access for 3rd parties, 2003 File Servers, Active Directory DC's - several domains, internal users. If you got placed right in the middle and management said prioritize areas to focus on first for vulnerabiltiies, in order of high priority, where would you start? I.e. right we must start with this area first due to impact if compromise, then on to this, then to this etc.... Do you focus on the networks shell first, or the inside, any pointers welcome..

Who is Participating?
slemmesmiConnect With a Mentor Commented:
Dear pma111,

first you need to consider what your IT risks are - here I advice you to refer to a BIA (Business Impact Analysis) to identify the most critical systems (i.e. those supporting the most critical business processes), and which data classification (integrity and confidentiality) those have.
Next you need to decide for those systems, what from a IT perspective is most critical, and what you thus should audit, a.o.:
1. Are the systems patched/running latest versions of software (all/any software on those systems)?
2. What is the attack surface of each system (ranging from physical security/access, network paths to those, encryption, open network ports, user accounts having direct access to logon to those systems, etc.). Assess the risk of each of those, then decide for which to prioritise the highest.
3. You need to ask yourself if a pen test is really what you need. What do you want to come out of the pen test?
4. You must be 110% certain you are allowed (get that in writing from your BOD) to carry out a pen test!
5. You must be 110% certain that you choose a utmost professional(!) pen testing company, who can guarantee(!) their pen test does not take down your systems (a non-pro pen tester could "without knowing" test you systems for DOS robustness, and cause a DOS).
Much more to wite - time does not allow sorry.

I truly advice you to pick a very professional pen tester.
Go through your external auditors and ask them to recommend a pen such.

Kind regards,
notacomputergeekConnect With a Mentor Commented:
Well, the first thing I would consider would be to decide it your vulnerability tests are based on generic systems of your current environment. For example, a generic domain may not require strong passwords, so that would be a vulnerability. However, your environment may already be doing this, so it is less of a vulnerability.

The IT risk management should be supportive of the corporate risk strategy. So, to build an IT risk strategy, you must first know what the overall corporate risk strategy is. No doubt you have many systems within your organization, so corporate should prioritize which systems and locations are most important. For example, if a catastrophy happened, which systems and locations need to come back on line first? corporate offices, satelite offices, e-mail, accounting, manufacturing, etc. The reason I suggest this, is that your tests should not be created in a vacuum and should be consistent with the corporate goals. Vulnerability tests should then be designed to protect the most important systems/locations and then work your way down.

One more thought, when doing risk management, list all the scenarios that could happen and then rank their business impact and how likely they are to happen. You can use a 0-1 scale for both criteria and multiply them together to get a ranking number for each scenario. Start focusing tests on the 1s (high business impact and very likely) and go down to the 0s (low business impact and very unlikely).
MichaelOwenConnect With a Mentor Commented:
Looking simply at the question of "where do you start," the answer is that this will depend on your environment. The best way to prioritise systems is by performing a Business Impact Assessment (BIA) of the systems you have in place. A BIA attempts to assess the impact to the business of a loss of confidentiality, integrity or availability of a system and its data. You typically take a set of scenarios to the owner of each system, and help them decide just how bad things would be if, for example, your internal customer data (credit cards, etc) was stolen, or if the data was lost due to server failure, and so on.

Note that the BIA doesn't just consider systems holding data - your access points (Citrix and VPN server for 3rd parties) are systems to be considered, as are your firewalls. One might typically expect these core systems to be critical; if you have a system in your organisation that you realise is "extremely critical" under the BIA ratings you select, then clearly core protection of that system (your perimeters and access controls) float up to "extremely critical."

Bearing in mind the above, I would suggest that your perimeter network controls are quite likely to be your highest priority. You could start off with those while you are agreeing a BIA methodology with the business to prioritise all of your internal systems. While a "hard shell" security model is not a long term solution, you ought to know how your shell looks before you worry about the servers it contains.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.