Vulnerability Scanning Frequency Best Practices
So you’ve decided to set up a vulnerability scanning programme, great. That’s one of the best ways to avoid data breaches. How often you should run your scans though isn’t such a simple question. The answers aren’t the same for every type of organisation, or every type of system you’re scanning. This guide will help you understand the questions you should be asking, and help you come up with the answers that are right for you.
How often should vulnerability scans be run
A lot of the advice below depends on what exactly you’re scanning. If you’re not sure about that yet - check out our vulnerability scanning guide.
Once you’ve decided which systems should be in scope, and what type of scanner you need, you’re ready to start scanning. So how often should you ideally be running vulnerability scans?
Here are five strategies to consider, and we’ll discuss in which scenarios they work best:
- Emerging threat-based
Fast-moving tech companies often deploy code or infrastructure changes on a daily basis, while other organisations can have a relatively static setup, and not be making regular changes to any of their systems. The complexity of technology we use means that each change can bring with it a catastrophic configuration mistake, or the accidental introduction of a component with known vulnerabilities. For this reason, running a vulnerability scan after even minor changes are applied to your systems is a sensible approach.
Because it’s based on changes, this approach is most suited for rapidly changing assets, like web applications, or cloud infrastructure like AWS, Azure and GCP, where new assets can be deployed and destroyed on a minute-by-minute basis. It’s also particularly worth doing in cases where these systems are exposed to the public internet.
For this reason, many companies choose to integrate testing tools into their deployment pipelines automatically, via an API with their chosen scanning tool.
It’s also worth considering how complex the change you’re making is. While automated tools are great for regular testing, the bigger or more dramatic the change you’re making, the more you may want to consider getting a penetration test to double check no issues have been introduced.
Good examples of this might be making big structural changes to the architecture of web applications, any sweeping authentication or authorisation changes, or large new features introducing lots of complexity. On the infrastructure side the equivalent might be a big migration to the cloud, or moving from one cloud provider to another.
Even if you don’t make regular changes to your systems, there is still an incredibly important reason to scan your systems on a regular basis, and one that is often overlooked by organisations new to vulnerability scanning.
Security researchers regularly find new vulnerabilities in software of all kinds, and public exploit code which makes exploiting them a breeze can be publicly disclosed at any time. This is what has been the cause of some of the most impactful hacks in recent history, from the Equifax breach to the Wannacry ransomware, both were caused by new flaws being uncovered in common software, and criminals rapidly weaponising exploits to their own ends.
No software is exempt from this rule of thumb. Whether it’s your web server, operating systems, a particular development framework you use, your remote-working VPN, or firewall. The end result is that even if you had a scan yesterday that said you were secure, that’s not necessarily going to be true tomorrow.
New vulnerabilities are discovered every day, so even if no changes are deployed to your systems, they could become vulnerable overnight.
Does that mean that you should simply be running vulnerability scans non-stop though? Not necessarily, as that could generate problems from excess traffic, or mask any problems occurring.
For a yardstick, the notorious WannaCry cyber-attack shows us that timelines in such situations are tight, and organisations that don’t react in reasonable time to both discover and remediate their security issues put themselves at risk. Microsoft released a patch for the vulnerability WannaCry used to spread just 59 days before the attacks took place. What’s more, attackers were able to produce an exploit and start compromising machines only 28 days after a public exploit was leaked.
Looking at the timelines in this case alone, it’s clear that by not running vulnerability scans and fixing issues within a 30-60 day window is taking a big risk, and don’t forget that even after you’ve discovered the issue, it may take some time to fix.
Our recommendation for good cyber hygiene for most businesses, is to use a vulnerability scanner on your external facing infrastructure on at least a monthly basis, to allow you to keep one step ahead of these nasty surprises. For organisations with a heightened sensitivity to cyber security, weekly or even daily scans may make more sense. Similarly, internal infrastructure scans once a month help maintain good cyber hygiene.
For web applications, scanning their framework and infrastructure components on a regular basis makes equal sense, but if you’re looking for mistakes in your own code with authenticated scans, a change-based approach makes much more sense.
If you’re running vulnerability scans for compliance reasons, then specific regulations often explicitly state how often vulnerability scans should be performed. For instance, PCI DSS requires that quarterly external scans are performed on the systems in its scope.
However, Intruder recommends thinking carefully about your scanning strategy, as regulatory rules are meant as a one-size-fits-all guideline which may not be appropriate for your business. Simply comparing this 90-day regulation with the timelines seen in the WannaCry example above shows us that such guidelines don’t always cut the mustard. If you actually want to stay secure rather than simply ticking a box, often it makes sense to go above and beyond these regulations, in the ways described above.
Vulnerability scanners can produce a vast amount of information, and reveal a lot of flaws, some of which will be bigger risks than others. When considering the amount of information that needs processing, and the amount of work that needs to take place to rectify these flaws, it can be tempting to think it only makes sense to scan as often as you can deal with all the output, like once a quarter.
While that would be a nice way to do things, unfortunately new vulnerabilities are being discovered on a much more regular basis than that, so rather than limiting your scans to how often you can deal with the output, it is much more sensible to seek out a scanner that generates less noise in the first place, and helps you focus on the most important issues first; and gives you guidance about on what kind of timescales the others should be addressed.
It’s also the case that as humans, we start to ignore things if they become too noisy. Alert-fatigue is a genuine concern in cyber security, so you should make sure you’re working with a tool that’s not spamming you with information 24/7, as this may make you stop paying attention, and more likely to miss the important issues when they happen. Make sure to factor this in when choosing a scanner, as it’s a common mistake to think that the one that gives you the most output is the best!
So now you’ve decided on what schedule to run your scans, it’s worth considering what happens in the gaps when you’re not running scans.
For example, say you decide that a monthly scan makes sense for you to pick up on any changes you make on a semi regular basis. That’s great, but as the timelines for the Equifax breach shows, you might have a problem even in such a short space as 30 days, if a vulnerability is discovered the day after your last scan. Combining our thoughts around alert-fatigue above though, just scheduling a daily scan may not be the best way to avoid this.
To tackle this problem, some vulnerability scanners provide ways to cover these gaps - some do it by storing the information retrieved on the last scan, and alerting you if that information is relevant to any new vulnerabilities as they are released.
We also offer a similar concept at Intruder, which we call “Emerging Threat Scans”, but we proactively scan all of our customers each time a new vulnerability emerges, to make sure all the information is as up to date as possible, and we’re not raising any false alerts based on old information.
We hope this article has helped you decide how often you should be running your vulnerability scans, and if you haven’t already picked a tool to work with, now might be a good time to try out our free trial.