Vulnerability Scanning and Patch Management

Vulnerability scanning is an essential foundational security control and vital for every organization. Cyber-attacks such as WannaCry and Petya, left many asking the question: How can we stay safely ahead of the next threat?

As new vulnerabilities are discovered, it’s a race against time to derive effective defense strategies.

In most cases, this requires fixes for the software or platform affected, delivered in the form of a patch. In other cases it may require mitigation of the threat via secure configuration settings – see System Hardening and Vulnerability Management.

Vulnerability Scanning and Patch Management FAQs

How do I know when patches are available and whether I need them?

The process by which patches are identified as available and needed has been revolutionized by contemporary vulnerability scanning technology. A vulnerability scanner typically works on a ‘point and shoot’ basis – attach it to your network and press ‘Go’ then wait for results.

Once a new vulnerability has been found, the developer behind the affected product will work to produce a patch. As soon as the fix is available, this information is appended to the CVE documentation on the NVD website (each new vulnerability is given a CVE identifier by the National Vulnerability Database (NVD) – see the "When is a Vulnerability Not a Vulnerability" white paper).

A good scanner will always be updated with the latest knowledge of vulnerabilities, delivered via a live internet-based feed for convenience. However, in between scans, organizations are left blind to changes that could increase their attack surface, such as software installations and configuration drift. Similarly, vulnerability scanners offer no breach detection capability.

» Learn more about Breach Detection and File Integrity Monitoring here

How does vulnerability scanning work?

The scanner is equipped with ‘White Hat’ hacking capabilities, to poke around in your network, thinking and acting like a hacker to actively identify and test exploitable vulnerabilities on your systems. The scanner is continually updated with new active test routines in order to sniff out all vulnerabilities. New and updated tests share the same feed as used to deliver CVE updates.

» Check out NNT Vulnerability Tracker stats here

Are all vulnerabilities fixed using a patch?

No! Some need to be mitigated, suspended rather than eliminated, via secure, hardened configuration settings. In some instance all that is left is to provide mitigation via a Workaround, some other measure that counteracts the vulnerability, for example firewalling to prevent the access required to exploit the vulnerability.

» See more about System and Configuration hardening here.

Additional Vulnerability Scanning and Patch Management Resources

Vulnerability Scanning Blog

Vulnerability Scanning White Papers

Latest Resources

CIS

Access CIS Resources
Access a broad range of CIS Benchmark reports to audit your enterprise and continuously monitor for any drift from your hardened state.
Download Reports »

Server Hardening

Server Hardening Resources
Download Hardened Services checklists, derived by NNT in conjunction with Microsoft, to manually audit your servers for compliance.
Download Checklists »

Audit Policy

Audit Policy Template Resources
Gain access to audit policies derived from the Center for Internet Security to generate audit logs on all relevant security levels.
Download Audit Policies »

NNT Suite of Products

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.