Jump to a Section
OVERVIEW
What’s a Network Vulnerability Scan?
A network vulnerability scan helps identify and evaluate potential weaknesses in an IT infrastructure. Think of it as a thorough check-up to find vulnerabilities and weak spots that could be exploited by hackers or other malicious actors.
Your infrastructure might be as simple as an single office internet connection that you want to ensure is blocking all traffic coming in from the public internet. Or maybe it’s one step more complicated with an open HTTP port and internal web server.
Larger infrastructures have multiple internal servers, segmented networks with unique purposes, distributed networks via VPNs or SDNs. All this can live onsite in a traditional office setting, a dedicated datacenter, or in the cloud at one or more providers.
We can scan anything with a IP address, either public (external/internet) or private (internal). Internal scans can be slightly more involved than external but still straightforward. We can scan internal assets over a traditional VPN connection, a more modern software-defined network (SDN), or even fully onsite using a dedicated scanner host or virtual machine.
During a vulnerability scan, special software is used to examine different parts of the network โ vendor application code, configurations and other settings. The purpose is to look for things that can be used by bad actors to gain access or disrupt your systems with ransomeware. These issues (vulnerabilities) can include outdated or misconfigured software running on web servers, network devices and even office phones and printers. Additional checks can be performed to find weak passwords that could make it easier for unauthorized people to gain entry.
By conducting these scans, organizations get a better understanding of the security risks in their network and take steps to fix any issues found. It helps them ensure that their network is protected against potential threats.
Why Do We Use Qualys?
Qualys is used by over 10,000 customers in 130 countries, including many of the largest enterprises. Their engine performs over 6 billion annual scans with 99.99966% accuracy and processes over 1 trillion security events per year. It’s an excellent choice for a network vulnerability scanner due to its robust features, accuracy and low network impact. Qualys offers a comprehensive set of scanning capabilities that cover a wide range of network components, including systems, applications, and cloud environments. It employs advanced scanning techniques to identify vulnerabilities, misconfigurations, and security weaknesses accurately. This extensive coverage ensures that your network is thoroughly examined.
Qualys continuously updates its vulnerability database, ensuring that it detects the latest threats and vulnerabilities. Additionally, Qualys offers intuitive reporting, making it accessible and convenient for users of any skill and background.
Qualys excels at discovering and scanning network assets in leading cloud providers like Amazon AWS, Microsoft Azure, and Google Cloud Platform (GCP). With deep integration and native support for these cloud environments, Qualys effortlessly identifies and assesses the security posture of assets within these platforms.
Through its cloud connectors, Qualys can automatically discover assets deployed in Amazon AWS, Microsoft Azure, and GCP, providing comprehensive visibility across cloud environments. It accurately scans virtual machines, containers, and networked cloud resources to identify vulnerabilities and misconfigurations.
Qualys checks for over 100,000 vulnerabilities,
with sometimes hundreds added or updated daily.
Using Network Vulnerability Scans in Your Environment
Performing network vulnerability scans offers organizations valuable insights into their security posture and helps identify potential vulnerabilities. There are two primary approaches to conducting these scans: on-demand, ad-hoc scans and periodic scans.
On-demand, ad-hoc scans can be performed whenever desired, such as after making changes to the network or software. These scans are particularly useful when organizations want to assess the impact of specific changes or updates. By conducting scans after network modifications or software updates, organizations can proactively identify any newly introduced vulnerabilities or misconfigurations. This approach allows for flexibility and immediate action, ensuring that potential security gaps are promptly addressed.
Periodic scans, on the other hand, are scheduled scans that occur at regular intervals. It is generally recommended to perform these scans at least quarterly, although the exact frequency can vary based your organization’s unique needs and budget. The reason for conducting periodic scans is twofold. First, new vulnerabilities in software are discovered and reported daily. By setting up a regular scanning schedule, organizations can keep up with the evolving threat landscape and ensure that their systems are regularly checked for any newly identified vulnerabilities. Second, periodic scans provide a proactive and systematic approach to network security. This is a fundamental ingredient in a strong security posture.
The most progressive security programs employ both approaches: scanning when infrastructure changes are made, and also scanning at regular intervals to check for new-found vulnerabilities in existing assets.
What can be scanned?
Qualys is capable of scanning a wide range of assets across various environments. It can scan traditional on-premises assets such as servers, desktops, and network devices, ensuring comprehensive vulnerability assessment. Additionally, Qualys extends its scanning capabilities to virtualized environments, cloud platforms like Amazon AWS, Microsoft Azure, and Google Cloud Platform (GCP), as well as containerized environments like Docker and Kubernetes.
How should I prepare for a scan?
Preparing for a network vulnerability scan should involve two basic steps, and potentially a third.
First, it’s essential to define the scope of the scan by identifying the specific network segments and systems to be included. The result is a list or range of IP addresses to include in the scan. There are no minimums or limits when using our service. We can discuss the scope with you to ensure that we focus on the relevant assets and areas of concern, maximizing the scan’s value. Correspondingly, maintaining an up-to-date inventory of all network assets, including hardware, software, and devices is important.
Second, announce to your teammates when the scan will start and what assets will be examined. The most common side-effect of a vulnerability scan are unexpected log messages such as strange HTTP URLs being requested. It’s helpful for some people to know to expect this kind of traffic during the scan period.
Third, more thorough scans can be obtained by allowing Qualys more access into your infrastructure via incoming firewall rules. Sophisticated infrastructures also commonly have systems that look for and guard against such things (intrusion detection or prevention systems: IDS/IDP) which might, likely, raise alarms during the scan. It’s a best practice to ignore the Qualys scanning engine IP ranges on these devices so that alarms are minimized and Qualys is allowed unfettered access to examine your network assets. We’ll work with you to ensure these changes are made accurately.
While our scans are safe and take great measures to avoid exploiting any vulnerabilities, it is always a good idea to ensure backups are up-to-date and at least basic health monitoring is in-place โ e.g., ping, HTTP, or other tests for service availability.
What is delivered to us when the scan is finished?
A network vulnerability scan typically generates a comprehensive report that provides valuable insights into the security posture of your network. The report outlines the vulnerabilities and weaknesses discovered during the scan, along with relevant details and recommendations for remediation.
Our base reports include the following key components:
- Executive summary: counts of vulnerabilities per severity level, categories of issues, and operating systems and services detected.
- Vulnerable hosts: A detailed list of vulnerabilities identified during the scan for each IP address. Both “confirmed” (high confidence) and “potential” (likely but less confident) issues are shown.
- Vulnerability details: severity, description and the potential impact it may have on your infrastructure, and steps to fix or workaround the problem which frequently include links to vendor-supplied documentation or software updates.
- Evidence: port and protocol the vulnerability was found on, as well as output or other data that indicated the problem exists (e.g., the server response).
Some common ways to customize these reports with our Advanced service are:
- Trends: show how this scan compared to previous scans, to clearly show positive or negative security progress.
- Ignored issues: some problems are just not worth fixing or are mitigated by controls the scan engine didn’t know about. We can exclude those items for a cleaner, easier-to-manage report. E.g., self-signed SSL certificates on a internal-only development server.
- Just high severity: some compliance tests such as PCI fail when any vulnerability severity is over a 3 out of 5. We can just report on those such vulnerabilities to aid in timely remediation, or to present to vendors/partners who merely require a passing result.
- Multiple reports: scan results for large infrastructures can be hundreds of pages long. We can produce multiple reports that you can easily distribute to different teams focused on a subset of the assets (e.g., developers, cloud engineers, telecom, A/V).
Our Advanced service can also customize the scan itself to perform more tests such as password brute forcing and authorized application logins. Contact us for more information on the extents of this level of service.
How long does a scan run for?
Runtimes vary significantly between environments, but a good rule of thumb is about 30-60 minutes per host. Our scan settings are tuned to be low-impact and will not generate a high amount of network traffic or service load. That said, our scans at any level of service are also configured to be very thorough โ probing every possible TCP and UDP port: all 65,535 of each โ which further adds to the duration.
How safe is a Qualys scan?
Qualys is renowned for its commitment to safe and non-disruptive vulnerability scanning. The Qualys scanner operates with a “scan safely” approach, designed to minimize any potential impact on network performance or disruption to business operations. It employs sophisticated scanning techniques that ensure the safety and integrity of the network being scanned.
Qualys scanners are designed to perform non-intrusive scans that do not attempt to exploit vulnerabilities or disrupt network services. They rely on passive network sniffing and non-credentialed scanning techniques to identify potential vulnerabilities without compromising the stability or availability of the network.
Furthermore, Qualys scanners are themselves very secure, hardened, and dedicated to run non-exploitable tests. Allowing them access to your network does not significantly decrease your security posture. For environments that cannot allow external access by regulation, an onsite scanner can be deployed running the same hardened scanner engine code used daily at the top global enterprises.
How can we scan internal assets?
There are three possible approaches:
- Forward internet-accessible ports to internal servers.
- Assign public-routable IP addresses to internal hosts and have your firewall allow Qualys scanners access to all TCP and UDP ports.
- We can connect to a traditional VPN, a more modern SDN, or even deploy a Qualys scanner device or VM onsite.
What Compliance Standards do these scans satisfy?
PCI DSS โ Payment Card Industry Data Security Standard
Organizations that process credit card payments are subject to PCI security requirements of at least quarterly vulnerability scans (see section 11.2). These requirements can be simple or complex, depending on how many transactions you process and the method of handling those transactions. Contact us to find out what applies to you.
Some payment providers, such as the bank you have a merchant account with, require standard PCI vulnerability scan results to be submitted directly to them by an ASV (Authorized Scanning Vendor). We ARE NOT an ASV and therefore cannot report directly to your bank to fulfill this particular requirement.
However, our service not only tests for the same items in a standard PCI scan, but also tests and reports many more for a more thorough scan. Advantages to our service:
- Pre-validate a passing PCI score before potentially sending a failure score to your acquiring bank.
- Perform a much more thorough scan to not only be PCI-compliant but also ensure a more secure overall environment.
HIPPA โ Health Insurance Portability and Accountability Act (USA)
In order to safeguard electronic protected health information (ePHI), the Security Rule of HIPAA outlines the requirements for safeguarding electronic protected health information (ePHI), including provisions that address vulnerability scans. The relevant section of HIPAA is the 45 CFR Part 164 Subpart C: Security Standards for the Protection of Electronic Protected Health Information.
- Risk Analysis: “… conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.” Vulnerability scanning is an essential component of this risk analysis process.
- Security Management Process: “… implement policies and procedures to prevent, detect, contain, and correct security violations.” Vulnerability scans help in detecting and identifying vulnerabilities within the network and systems, allowing for appropriate remediation actions to be taken.
- Security Incident Procedures: “… establish and implement procedures to respond to and mitigate security incidents.” Conducting regular vulnerability scans assists in identifying potential weaknesses or vulnerabilities that could lead to security incidents, and sets up a remediation process.
Other standards such as GDPR, FISMA, FedRAMP, SOX, SOC2, and NIST also state the need for regular vulnerability scans. Our Qualys-powered scans satisfy all the technical requirements for vulnerability scanning set by these and other compliance frameworks.
All about Pricing
Beyond the base costs listed below, only live hosts incur additional costs. A “live host” responds to traffic on at least one port. Typically small office internet connections will have no open ports.
CoreOne Service
This is our lowest-cost service and intended for smaller environments with just one public IP address. Only external scans are supported โ i.e., all IP addresses must be accessible over the public internet.
The CoreOne base cost is $59 which includes scanning one IP address. To scan more than one address, we have the Advanced service (see below).
CoreOne service is $59 regardless of the existence or lack of response on any port. Having no ports respond is typical for small business internet connections and ensures no external access is possible at that address.
Advanced Service
This is our most capable and customizable service, intended for larger or more sophisticated environments. Both internal and external scans are supported. Internal scans are for hosts with IP addresses in non-internet routable ranges, such as 10.x.x.x and 192.168.x.x, and carry an additional setup fee (more details below).
The Advanced base cost is $299 which includes scanning up to 5 total IP addresses, internal or external. At 10 IPs and above, there is a volume discount: $500 for the first 10 IPs, and $250 for each additional block of 10 IPs.
Internal scanning setup fees range from $250 to $1000 to configure and test the selected method, ranging from connecting via a Software Defined Network to deploying an onsite scanning device. Subsequent setup fees may occur if a major change to the method occurs. Contact us to discuss what method would work best for you.
Advanced service pricing examples:
- If 5 or fewer hosts respond, the cost is $299.
- If 6-10 hosts respond, the cost is $500.
- 11-20 responding hosts result in a cost of $750.
- 41-50 responding hosts result in a cost of $1500.
Discounts are likely available for monthly or more frequent Advanced scans.