Cybersecurity Vulnerability Scanning

The world’s leading cybersecurity organizations1 all agree: vulnerability management is a primary concern for every organization.  IT System technical vulnerabilities come in several forms, including outdated software and insecure component configurations.  Examples include missing operating system patches, use of unauthorized software, or weak password policies.  Our adversaries exploit these vulnerabilities to do their malicious deeds, whether that be stealing your valuable intellectual property, or infecting your system with ransomware, or just sucking up your resources to parasitically mine cryptocurrency

For even the smallest organizations, manually checking devices once for missing patches or misconfigurations is overwhelming, much less repeating this task on a frequent basis.  (Vulnerability scanning is an ongoing cycle; it’s not a one time deal.)  You need automated tools to perform this crucial task.  We are experts in the application of military-grade scanning tools, such as Nessus™ and the DoD Information Systems Agency (DISA) Security Technical Implementation Guides, the STIGs

That being said, we understand businesses are resource-strapped, so we emphasize the use of open-source and free vulnerability scanning tools.  You probably don’t need another fancy black box attached to your network.  We may also be able to leverage tools that your organization or IT vendor already has to rapidly deploy a vulnerability management capability.  The vulnerability scan starts with configuration management, or knowing what devices and resources you have on your IT system.  You have to know what you have to know what to scan.  There are lots of free discovery and configuration management tools out there.  Let us help figure out the best tool set for your organization and environment. 

Vulnerability scans generate a lot a information, and only some of it will be pertinent to your organization.  You’ll need expertise to separate the signal from the noise, and our Totem Technicians are those experts.  We’ve been managing vulnerability information for the DoD for over a decade, and know the difference between real vulnerabilities and false positives.

For DoD Contractors, the DFARS/NIST 800-171 has strict requirements to comply with vulnerability management and configuration standards. We are well-versed with DISA bulletins and standards such as IAVA and STIGs, and have executed ACAS since its inception. To help you manage the massive volume of compliance data we created our own light-weight cybersecurity planning tool–Totem.

It is important to note that just because your system has vulnerabilities, it is not necessarily at risk to compromise.  To be cost-effective, the vulnerability scanning capability needs to be integrated into the organization’s risk management program.  Totem Technologies can also help your organization manage risk.

Also, a vulnerability scan is not the same as a penetration test, or “pen test”.  Any cybersecurity provider that conflates the two is selling a false bill of goods.  A vulnerability scan is a crucial first step to a pen test.  But a true pen test is an art, where the experienced tester uses contextual knowledge about the organization and IT system to attempt to exploit those discovered vulnerabilities.  As a natural follow-on to vulnerability scanning, we offer penetration test services as well. 

 

Footnote 1: The Centers for Internet Security: https://www.cisecurity.org/controls/cis-controls-list/, the NSA: https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf, and the Australian Cyber Security Centre: https://www.cyber.gov.au/publications/essential-eight-explained