How do you spot vulnerable IT systems?

December 7, 2023 - 4 minutes reading time
Article by Newsroom Insights

By regularly examining your IT systems for vulnerabilities, you prevent hidden weaknesses from turning into catastrophic data loss or failure of vital systems. Security consultant Serena de Pater has years of experience working in vulnerability management. "The question is not íf you will ever have to deal with a security incident, but when."

What is vulnerability management?

"Simply put, it is a process by which we use tools to check systems, networks and applications for weaknesses, or vulnerabilities. Discovered vulnerabilities are collected and indexed so they can be analyzed. By timely identifying weak spots, an organization can fix them before cybercriminals can exploit them."

What does this require?

"As Technical Information Security Officer, I perform vulnerability scans for customers and I perform scans within our own organization, for example by placing a scanner in a network. In addition, my colleagues and I analyze new security vulnerabilities published at online security platforms and social media. We look at where vulnerabilities occur and what impact they might have on our organization. Then we write a Centric security advisory, which describes what the vulnerability entails, how to detect it in your infrastructure and - very importantly - how to fix it."

Why is it important for organisations to perform regular scans?

"New vulnerabilities are being discovered all the time, even in software that has been in use for some time. Cybercriminals are eager to exploit them. As a result, a system that is assumed properly hardened today can be a target tomorrow. Regularly performing a vulnerability scan ensures that as an organization you can proactively identify and remedy these vulnerabilities, so you can keep cybercriminals at bay. By the way, it is not just about protection against external threats; we also scan to comply with certain agreements or maintain certifications."

Yet we still often hear of large companies becoming victims of digital intrusions or data breaches. What goes wrong?

"It can be anything from a sophisticated attack to an accident, but usually it's just a mistake or an action of carelessness: forgetting to adjust a setting, clicking on a link in a strange-looking email, or not updating in time. But in all situations, vulnerability scans can be valuable. For example, to detect unsafe settings and missing security updates." 

Wrong settings, clicking unsafe links – that's about human behavior

"And so it is very important for an organization to be aware of cyber risks. That way you avoid most mistakes and can take appropriate action based on the information from those scans. Some organizations do perform scans, but then do not act quickly enough to fix identified vulnerabilities. Because the lack of resources or because the risk is underestimated. Then you make yourself vulnerable."

How often should organizations perform vulnerability scans?

"Ideally, you continuously monitor all your systems. For many organizations, a weekly or monthly vulnerability scan is already a good start. In case of changes in a company's IT landscape, such as onboarding a new application, it is also advisable to perform a vulnerability scan and take measures against any vulnerabilities."

Are there diverse types of vulnerability scans?

"Yes there are. For example, there are internal and external scans. Internal scans focus on an organization’s own network, while external scans focus on the systems that are accessible from outside, such as a website or mail server. There are also specialized scans for specific applications, databases, or operating systems. In addition, we can perform compliance scans. These specifically check whether the computer or network equipment is set up according to laws and regulations."

More and more organizations are using cloud services. How do you deal with that?

"When using cloud services, it is essential to know where the responsibilities lie. Many providers follow a ‘shared responsibility’ model: they are responsible for cloud security, while the customer is responsible for security inside the cloud. So, you should definitely include your cloud environments in your vulnerability scans."

What do you say to organizations that are not yet running vulnerability scans?

"Start as soon as possible. The question is not íf you will ever have to deal with a security incident, but when. It all starts with gaining insight: which systems are we actually managing as an organization? How many are there and where are they located? If you don't know what you have, you can't secure it. By mapping everything and scanning it regularly, you can prevent a lot of problems."

'Vulnerability scans help you keep cybercriminals out'

Related articles
How to outsmart ransomware
In the event of a ransomware attack, the consequences for an organization are often incalculable. Read th ...