Don’t let misconceptions stand in your way – get the facts on five common myths about vulnerability assessment.
The simple truth of vulnerability assessment is that it’s not always an easy task to accomplish, especially if you’re new to it. Complications arise, and if you sometimes find yourself confused by one part of the process or another as a result, that’s nothing to be ashamed of.
In fact, having an inaccurate understanding of some aspects of vulnerability assessment likely isn’t your fault at all: Certain myths about this unique aspect of cybersecurity have spread wildly in recent years. It’ll be of the utmost importance for you and other stakeholders in your organization with a focus on cybersecurity to look beyond the misconceptions and understand the facts behind effective security. Let’s start myth-busting!
Myth #1: “You don’t need to bother with vulnerability assessment because you’re not a valuable target.”
Of all the myths we’ll discuss here, it’s probably easiest to understand how this one spread. Most of the hacks and data breaches that make the news or get talked about around the office are the biggest ones: Equifax, Target, British Airways and so on. This leads people to believe big-box retailers, credit card companies and multinational banks are the institutions of most interest to hackers.
But that’s simply not the whole truth. No potential target is “valueless” to malicious online actors just because of its size or low profile. Recent research has borne out that the odds of a small or medium-sized business (SMB) undergoing a cyberattack or data breach are more than 50-50:
- About 66% of SMBs experienced at least one cyberattack in 2019.1
- Just under 50% of SMBs were specifically hit with a ransomware attack.2
- Video conferencing and VoIP solutions that became must-haves for remote-operating organizations (as necessitated by the COVID-19 pandemic) were common attack vectors during 2020. Zoom, Microsoft Teams and Cisco Webex, among others, all bore the brunt of such aggression.3
To be fair, the biggest corporations are always in the sights of individual black-hat hackers and cybercrime organizations. But those attacks require months of planning and prep. In the meantime, black hats can attack dozens of SMBs with ransomware and extort a series of smaller payments that add up to a hefty illicit profit. These hackers know SMB leaders are less likely to fight off attacks and more likely to hand over ransoms. (This is one of many reasons why Christopher C. Krebs, former director of the Cybersecurity and Infrastructure Security Agency, recently characterized ransomware as “the most visible, disruptive cyberthreat.”4)
Even eliminating those possibilities, your SMB might still be at risk of attack not because of your resources, but those of your business partners or other organizations in your software supply chain. (The recent events of the SolarWinds hack exemplify this sort of risk.)
Myth #2: “You don’t need vulnerability assessment if you have patch management.”
Patch management (PM) is a valuable part of any cybersecurity strategy – one of the ways in which many garden-variety vulnerabilities are dealt with. “Patch” is the common slang for software and firmware updates released by software manufacturers on a regular basis to address bugs and vulnerabilities as well as bring new features and general functionality improvements to various apps, platforms and operating systems.
Unfortunately, there are some organizations that, simply due to lack of information, think they can implement patch management and have their cybersecurity needs covered.
Don’t worry – this is an easy mistake to fix. It’s just important to know exactly how it may happen. The biggest reason why patch management isn’t a cure-all is simple: It cannot cover all of your network’s entry points. Even if the management process is partially or almost completely automated, there’s still room for human error that could allow an app to remain unpatched. PM software vendors won’t automatically handle the updates by default – the organization using the PM solution must configure it to automatically update as needed when setting it up in the first place.5 Some security issues simply don’t have patches, because they’re related to configuration changes, which many patch tools either can’t handle or fail to do so properly. Moreover, there’s plenty of downtime in between automatic patches during which attackers could discover (or actively create) and exploit a new vulnerability.
Ultimately, it’s best to use vulnerability assessment as a prelude to a patching strategy, so you have a better idea of what you’re looking to prevent or mitigate through patches and not applying them indiscriminately. A disorganized, “patching-just-to-patch” plan can be a waste of time, effort and money.
Myth #3: “Running a vulnerability assessment will invalidate EULAs.”
Running a vulnerability assessment scan does not invalidate warranties or end-user license agreements (EULAs) related to the applications, hosts, operating systems or operational technology being scanned on your network. However, this myth is heard with somewhat alarming frequency, particularly in relation to scans that cover operational technology (OT) systems, or sensitive environments such as medical and financial services.
You can run a successful vulnerability scan on your OT without compromising your EULA. But the scan must be capable of accommodating both the IT and OT assets within the context of an OT environment. Additionally, because OT systems don’t typically have frequent maintenance schedules, it will be critical to develop a prioritized list of vulnerabilities so that the most pressing threats are dealt with first when OT does come up for maintenance.
Myth #4: “You don’t need to scan isolated or unconnected systems.”
Certain parts of your network won’t be connected to the internet (public or otherwise) at all times. Others may be significantly isolated from the rest of the network, sharing little data with the vast majority of your IT infrastructure. It’s understandable that you might think these areas can’t be easily compromised and thus don’t need to be included in vulnerability scans – especially if you have more immediate security needs.
But just as there’s no organization that can’t be targeted for a cyberattack, there’s nowhere on the network immune to vulnerabilities that an attacker might exploit. When self-propagating malware enters any part of your system, it immediately begins searching for conduits through which it can spread to other systems. Say a malware strain entered an industrial control system (ICS) while it wasn’t connected to the company’s overall network. Once the system is compromised, it will spread its malware when any host or device interacts with it – even through an action as seemingly inconsequential as using a memory stick to take ICS data to a separate host.6 Then the host is infected, and more will follow as soon as it gets connected to your network. Conversely, what if the ICS is effectively invulnerable but employees’ laptops have an unpatched vulnerability? The second you connect an infected host to the ICS for a direct file transfer, the malware can spread to the OT environment and wreak havoc. This risk scenario would also apply to a host that was hit by malware while interacting with a cloud instance outside the enterprise network.7
The “air gap” concept is a subset of this myth: It posits that a portion of a network physically isolated from the corporate network at large is safe. Although this myth began to be debunked in the early and mid-2010s,8 it hasn’t disappeared completely. Your best bet is to keep reminding yourself that every area of your network is vulnerable, and regular scanning is the best way to monitor and remediate any flaws as fast as possible.
Myth #5: “You don’t need to scan assets that are protected with EDR”
Endpoint detection and response (EDR) systems are another valuable part of a cybersecurity strategy, and should be used by any organization with security needs. Unfortunately, because of how these tools are marketed, it’s tempting to think you’ve found the centerpiece of your cybersecurity strategy right there.
But EDR can’t be a set-it-and-forget-it tactic: While such a platform can detect suspicious files and apps within the endpoints to which it’s connected, that doesn’t help you root out vulnerabilities that exist as a result of unpatched apps and systems, or flaws that are baked into legacy hardware or software. Also, EDR offers no guarantee of detecting or interdicting every possible threat that can pass through endpoints (or enter the network in other ways).
Regular vulnerability scans take some of the burden off of EDR, allowing you to discover vulnerabilities before they become attack vectors.
While it may take you some time to fully implement the right security tools and shrug off the misconceptions from myths you’ve heard, there’s no better way to get started with scanning than Nessus Professional from Tenable.
1. Ponemon Institute, “2019 Global State of Cybersecurity in Small and Medium-Sized Businesses,” October 2019
2. Infrascale, “Infrascale Survey Reveals Close to Half of SMBs Have Been Ransomware Attack Targets,” April 21, 2020
3. Tenable Research, “2020 Threat Landscape Retrospective,” Jan. 14, 2021
4. Tweet by fmr. CISA Director Krebs, November 16, 2020.
5. Dark Reading, “The Problem with Patching: 7 Top Complaints,” April 21, 2016
6. Tenable, “Accidental Convergence – A Guide to Secured IT/OT Operations,” 2020
7. Tripwire, “Malware in the Cloud: Protecting Yourself Based on Your Cloud Environment,” Jan. 7, 2020
8. Security Week, “Air Gap or Not, Why ICS/SCADA Networks Are at Risk,” Aug. 9, 2016