Claire Carpenter, IT security specialist at the University of Canterbury Christ Church, has a vivid analogy for the anxiety felt by some in the IT community around vulnerability scanning.
“People don't want to know the scary stuff,” she says.
“But it's like opening that cupboard when it's dark in the night. There's really no monster in there, it's only your fear that's telling you there's a monster. You just need to open the cupboard and say, ‘Look, it's just a shadow. We can deal with that'.”
And that’s exactly how she tackled vulnerability scanning at Canterbury Christ Church – with impressive results. She shares her four key elements of success.
1. Acknowledge the culture change
Vulnerability scanning is a broad term, used to describe the automated process of detecting defects in an organisation’s security programme.
While the key is its automation, providing a fast and up to date view of the security landscape, it does only provide an overview.
It doesn’t mean that your organisation is necessarily vulnerable to everything that it picks up, and it certainly doesn’t do the work to validate, test and secure those vulnerabilities. It doesn’t replace penetration testing.
Carpenter faced concerns, which she knows are common, from senior management that undergoing vulnerability scanning would only serve to produce risks that they did not have the resources to fix. Her first step to success was to explain the culture change and offer reassurance.
“I said, look, I'm in place now, 100%. I'm going to help drive the programme forward. I'm going to make sure we do this in the right way.
"And we’re not going to do what I've heard that other people have done, which is just scan absolutely everything. All that does is get you a huge list that leaves you saying, ‘Wow. Where do you start?’”
Instead, Carpenter explained that she would be prioritising tier one services, such as the university website, scanning them gradually and looking at them in depth and in detail to uncover exactly what lies beneath the surface.
2. Take a softly, softly approach
Carpenter also faced nervousness around the prospect that the programme would break live services. She countered this by picking services which already had test systems, such as a development site, and scanning those systems first to make sure there were no performance scares or issues.
“Gradually, after the first five or six systems, people said, ‘Ok, this is a standard thing. We're not so worried any more'. We also did a lot of documentation explaining what we were scanning and why we were scanning it.
"By taking that softly, softly approach and going the extra mile to try to encourage people that we cared, we were able to get over that fear barrier. But I think that was a big barrier to start with. People were very, very nervous.”
3. Challenge your vendor
“Look at what you want out of a service and make sure that you understand your resourcing because a lot of applications say, ‘We can save you time. We can save you money. We can save you people. It will all do it itself. It will all be fine.’ But vulnerability scanning does take resourcing because you need to understand what it's telling you.
“Make sure that you know what you want out of the system. It's not going to be a magic wand that fixes everything for you, and it is going to create a list of work to do. You need to understand how you're going to manage that. Think about those parts, as well as the nice, shiny dashboard that the vendor is going to give you,”
Even when you have your vendor, continue to look at what else is available from other vendors and challenge your own to offer more.
4. Build on your success
For Carpenter, the greatest success story of her vulnerability scanning programme is the way in which it has shown commonalities across key services, allowing her to define a build structure. Instead of retrofixing problems, she can now ensure services are built to avoid them.
As developers work on new applications they can start scanning as part of their process and raise any flags.
“What we will try to do is to prevent anything going live if it has a certain number of key vulnerabilities.
"At the moment, we're expecting the developers to fix them as we go through the service. But hopefully, in the future, we can say no – if it's hit that threshold, then it's not going live.”
As the programme expands beyond tier one services it will no longer be restricted to services but will also scan networks, such as the printer network, in their segmented categories.
“Now we're at a better place with understanding the problems that we faced in the past, we're probably not going to be so fazed when we find it with other services.
"Say we find the printer's got the same problems that we have with another service, we know how to fix that. We've done that before. This is what we can do, and we can roll it out widely.
“Vulnerability scanning has certainly helped us understand our risk, improve our posture and get us through Cyber Essentials,” concludes Carpenter.
Claire Carpenter is speaking at the free-to-attend Jisc security conference (9-11 November). Registration is open now.