January 29, 2020

A crash course on configuration scanning: The DataBank vulnerability management tool of choice

An overview of Configuration scanning: The DataBank vulnerability scanning tool of choice.

Configuration scanning is a process for scanning operating system vulnerabilities to identify and mitigate vulnerabilities that threaten compliance, including software flaws, missing patches, malware, and misconfigurations across operating systems, devices, and applications. Our service allows security professionals to connect to a multitude of servers, run vulnerability scans, and generate an executive or detailed report based on vulnerability types, vulnerabilities by host/plugin, and by team/client in a variety of formats (HTML, CSV, and Configuration scanning XML).

External vulnerability scans only give visibility to part of the picture, while configuration scanning allows for internal credentialed scans to gain a more comprehensive picture. Internal vulnerability scanning is a requirement for FedRAMP and PCI-DSS environments.

Key features of Configuration scanning

We’ve selected only the best configuration scanning tools for vulnerability scanning because of the key features available within the tools that greatly benefit customers; specifically, those subject to FedRAMP and other high security compliance requirements.

Breadth and depth of coverage

These providers continually work with the information security community to identify new vulnerabilities while offering insights to assist businesses in advancing vulnerability assessment practices. Threat intelligence is built into configuration scanning using plugins.

Automatic plugin update

Our process is powered by the top-rated configuration scanning tools leveraging over 130,000 plugins that update automatically, in real-time. This ensures timely information on new vulnerabilities while reducing time to assess and remediate issues.

Vulnerability scanning with DataBank

As part of the base configuration management service offering, DataBank performs scans up to the operating system, but not the database and web application. However, database and web application scans can be ordered for an additional fee. It’s important to note that FedRAMP stipulates that cloud service providers must perform internal authenticated scans.

FedRAMP vulnerability scanning requirements

Authenticated and credentialed scans

Vulnerability scans must be performed using system credentials that allow full access to systems. Scanners must have the ability to perform in-depth vulnerability scanning of all systems where applicable. Systems scanned without credentials provide limited or no results of the risks. All unauthenticated scans are rejected unless an exception has been previously granted due to applicability or technical considerations.

Enable all non-destructive plug-ins

To ensure all vulnerabilities are discovered, the scanner must be configured to scan for all non-destructive findings. Any vulnerability scans with limited or excluded plug-ins are rejected. Exceptions may occur based on specific requests from the government for re-scans or targeted scans. These scans must comply with the directions provided by the government.

Full system boundary scanning

Each scan must include all components within the system boundary. Reduced number of components or missing categories will result in rejected scans. In some cases, sampling is acceptable; however, it must be approved as a part of the initial security assessment plan and approved as a part of the continuous monitoring plan.

Scanner signatures up to date

CSP must ensure the vulnerability scanner used is up to date and includes the latest versions of vulnerability signatures. Before scanning, each scanner must be updated to reflect the latest version of the scan engine, as well as signature files.

Provide a summary of scanning

Each scan submission must be accompanied by a summary of the scan performed. The summary must include a listing of all the scan files submitted, which scanning tools were used, and a summary of the purpose of the scan (e.g., monthly scans, re-scans, verification scans, etc.).

In addition, the summary should discuss the configuration settings of the scanner, including if signatures were limited for targeted, verification scans, or if the scope of the scans excluded certain components or IP addresses. IP address ranges and/or a description of the targets are required.

POA&M all findings

Findings within scans must all be addressed in a plan of action and milestones or other risk acceptance requests and maintained until vulnerabilities have been remediated and validated.

Types of scans DataBank runs for customers

1. Credentialed patch audit scan

-Vulnerability scans run monthly

-Check to determine what’s out of date on the server

-DataBank is responsible for OS patches only.

2. Host discovery scan

-Network discovery scans offered to FedRAMP environments only

-Scan runs daily

-Reviewed monthly

-Checks for new hosts in the environment

CIS Hardening scan

Configuration scanning is used with the Center for Internet Security (CIS) benchmarks and baselines to assess and harden all servers during the provisioning process to ensure all servers are in the optimal state at delivery. In production, scans are also scheduled on a recurring basis for continuous monitoring purposes.

Vulnerability scans are a critical component of an overall security program. They’re a non-invasive method of testing which allows your security team to gain feedback on the health of your network quickly. When entrusting DataBank with vulnerability scanning as part of your security program, your internal team will be better equipped to act on protecting your network and data.