Enterprise Network Scanning: A Secure Approach

TL;DR

This guide details a phased approach to authenticated network scanning for large enterprises, focusing on minimising risk and maximising coverage. We’ll cover credential management, scan configuration, scheduling, reporting, and remediation.

1. Planning & Scope Definition

1. Identify Critical Assets: Begin by listing your most important servers, databases, network devices, and applications. Prioritise these for frequent scanning.
2. Define Scan Types: Determine the necessary scan types (e.g., vulnerability scans, compliance scans, web application scans).
3. Segment Your Network: Divide your network into logical segments based on function, security level, and access controls. This allows for targeted scanning and reduces impact.
4. Establish a Baseline: Perform an initial unauthenticated scan to understand the current state of your network before introducing authenticated scans.

2. Credential Management

1. Dedicated Scan Accounts: Create separate user accounts specifically for scanning purposes. Avoid using privileged accounts. These should have minimal necessary permissions.
2. Secure Storage: Use a password manager or vault to securely store scan credentials. Never hardcode them into scripts or configuration files.
3. Regular Rotation: Implement a schedule for rotating scan account passwords (e.g., every 90 days).
4. Least Privilege Principle: Grant scan accounts only the permissions required to perform their tasks. For example, read-only access where possible.

3. Scan Configuration

1. Choose a Scanning Tool: Select a reputable vulnerability scanner (e.g., Nessus, Qualys, Rapid7 InsightVM). Consider features like authenticated scanning, reporting capabilities, and integration with other security tools.
2. Configure Authentication: Properly configure the scanner to use the credentials you’ve created for each network segment. This typically involves specifying usernames, passwords, and authentication protocols (e.g., SSH, SMB, WMI).
3. Scan Policies: Create scan policies tailored to specific asset types and compliance requirements. Define the ports to scan, vulnerability checks to perform, and other relevant settings.
4. Credential Injection: Ensure your scanner supports credential injection for various services (e.g., SMB, SSH). This allows it to log in as the configured user and identify more vulnerabilities.

4. Scheduling & Execution

1. Staggered Scanning: Avoid scanning the entire network simultaneously. Schedule scans in a staggered manner to minimise impact on network performance and application availability.
2. Off-Peak Hours: Run scans during off-peak hours or maintenance windows to reduce disruption.
3. Regular Intervals: Establish a regular scan schedule based on asset criticality (e.g., critical assets scanned weekly, less critical assets scanned monthly).
4. Scan Windows: Define specific scan windows for each segment to control the duration and timing of scans.

5. Reporting & Analysis

1. Centralised Reporting: Configure your scanner to generate centralised reports that provide a comprehensive overview of network vulnerabilities.
2. Prioritisation: Prioritise vulnerabilities based on severity, exploitability, and potential impact. Use the CVSS score as a guide, but also consider business context.
3. False Positive Review: Regularly review scan results to identify and address false positives. This improves the accuracy of your vulnerability assessments.
4. Trend Analysis: Track vulnerabilities over time to identify trends and measure the effectiveness of your remediation efforts.

6. Remediation & Verification

1. Patch Management: Apply security patches promptly to address identified vulnerabilities.
2. Configuration Changes: Implement configuration changes to harden systems and reduce attack surfaces.
3. Re-Scanning: After remediation, re-scan affected assets to verify that the vulnerabilities have been successfully addressed.
4. Documentation: Document all remediation steps taken for auditing and compliance purposes.

7. Advanced Considerations

• Agent-Based Scanning: Consider using agent-based scanning for assets that are difficult to scan remotely (e.g., laptops, mobile devices).
• Integration with SIEM/SOAR: Integrate your vulnerability scanner with a Security Information and Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR) platform to automate incident response workflows.
• Cloud Scanning: If you use cloud services, ensure that your scanning tool supports cloud-based asset discovery and vulnerability assessment.