You are viewing 'vulnerability scanning'
Scan Your Network: A First Step in Security
April 05, 2016 - Posted by Loren Paquette to
This blog is a continuation of the Prevention blog series. The first blog, "Four Tips to Secure Your Network," discussed prevention and four tips to immediately help secure your network. This blog, the first of four steps to assist with security, discusses ways to scan your network. Links to the other blogs will be provided as they are posted!
Network and security teams often disagree about security. In almost every company, the teams will debate about different security options and which methods are better. The conversation often goes something like this:
Network Team: Why does the security team always need to have access to the network?
Security Team: Why can’t we get access to the network to perform scanning activity?
Network Team: It is a pain... read more >
12th Consecutive Year as an ASV
Solutionary is pleased to announce that we have successfully completed the annual Payment Card Industry Approved Scanning Vendor (PCI ASV) lab certification test process for 2015-2016. This marks our 12th consecutive year as a PCI ASV. Solutionary has been helping clients remain in compliance with payment card standards as a certified scanning assessor prior to the formation of the PCI Security Standards Council (SSC) in 2006. As discussed in our previous blogs about our PCI certification, we do this every year not because we have to, or because clients have asked us to, but because is it the right thing to do and it will make our client’s lives easier. In addition, this year Solutionary not only successfully completed the PCI ASV certification, but we completed it using two separate unique platforms to give clients the flexibility of using different scan platforms. Sometimes you need a hammer, sometimes you need a... read more >
Actively patching can help remove active, known vulnerabilities
There is no “silver bullet” to security. No single, one security control which will answer all of our security woes.
But, time and time again, we hear of vulnerabilities which are affecting organizations, right now. A good example is the Adobe Flash Player vulnerability (CVE-2015-3113). If you check the details for the vulnerability, you can see that it has a CVSS score of 10. You can also see that it has been actively exploited in the wild; meaning attackers have been using it, and are using it right now.
This is a client system vulnerability. Adobe Flash Player runs on the user workstation. We all know that it can be difficult to keep all systems current, especially in a heterogeneous, geographically distributed environment.
But, Adobe has released a patch for this vulnerability, and applying that patch can remove a current, known threat from your environment. For more... read more >
Know Your Network Footprint
One of a company’s most important responsibilities is to know its network footprint. Many large corporations are compartmentalized, and different groups have different responsibilities that rarely overlap. It’s not uncommon for a company to have multiple class-C IP address ranges, along with third-party hosted websites, and not really realize they exist within the organization’s assets. Each business unit manages their part of the site or brand, and there is often very little collaboration across business units. And don't even mention uniform security standards.
When the bad guys target a company, they do so from a holistic point of view. They enumerate company subsidiaries, find all the network ranges owned and hosted by the company and tailor attacks against the weakest links.
You might have an e-commerce site running on one IP which receives regular vulnerability scanning... read more >
The Day the Business no Longer Owns The Data
Working as an information security assessor provides me with opportunities to interact with a variety of Information Technology (IT) executives and understand the core risks to organizations.
As a result, I have identified a recurring theme across many of these organizations: risks remain unaddressed due to IT blindly serving the business. Similar to the insurance and Payment Card Industry Data Security Standard (PCI DSS) models, key IT decisions result in the transference of risk instead of taking ownership of the risk.
To ensure higher profits, IT departments are driven to cut costs and remain lean. IT seems to run as if the business is responsible for all key decisions, especially when it is convenient to neglect the organization's environment. This mantra leads to the logic “the business owns the data, so this is a business decision.”
From an information... read more >