In recent years the main vendors of the operating systems and databases that run our businesses, schools and governments have made significant strides to provide a reliable stream of patches and upgrades which are easy to install or even automatically installed.  Microsoft’s Patch Tuesday has been emulated by other vendors including Adobe and SAP.  These patches are published on a reliable schedule, they are well commented on in the security press and organisation are able to track the roll out of the patches across their estate using management tools.

However, there is a risk that smaller vendors or systems where only one or two devices are present in a large network can be overlooked.  As Peter Drucker was fond of saying: what gets measured gets managed.  And these lower profile systems – a single VPN gateway in the branch office, a one of a kind NAS in the back of a computer room – are perhaps not supported by the operations management systems in the Operations Centre.  They are not mentioned in the monthly reports where the Sys Admins prove all their Windows and Oracle patches have be installed within the target 14 days.

When was the last time a physical audit of every device on your network was performed so you can check that they are all still required and all are still supported and up to date with their patches?

The danger of a missing patch

In August 2019, security researchers at Bad Packets reported that their honeypot systems on the internet were being mass scanned from an IP address in Spain.  The scans were targeting Pulse Connect Secure VPN endpoints that were vulnerable to  CVE-2019-11510 – a serious vulnerability that allowed the theft of unencrypted passwords and private keys.  Pulse Secure had been advised of the original vulnerabilities in March 2019 and had posted patches to resolve the issues a month later. The problem was thousands of VPN systems remained unpatched despite the efforts of the vendor to contact their customers proactively.

According to scans performed by the researchers at Bad Packets, in August 2019 some 35% of detectable Pulse VPN Servers on the internet remained unpatched – over 14,000 devices.

In October 2019 the NSA in the USA and the NCSC in the UK both issued advisories warning about the impact of these unpatched vulnerabilities – with over 5000 unpatched Pulse Secure VPN servers still visible on the internet.

In January 2020 the Wall Street Journal reported the names of several large companies who had unpatched Pulse Secure VPN servers online, including Travelex who was the target of a cyber attack which took all their systems offline for over three weeks at the start of 2020.

One unpatched device can be all that is needed for attackers to establish a beach-head into your network and use that to launch a Ransomware attack or steal data.

In a large multi-site network, perhaps created from the amalgamation of several companies over the years, with odd devices installed by people who no longer work for the company – how can network managers be confident that they know what is plugged in to the network and that every device is patched and secure?

How can network admins check for unpatched devices on their network?

Vulnerability Scans are a very effective way to check for unexpected and unpatched devices on your public and internal networks.

Required by security standards like PCI-DSS and ISO 27001, vulnerability scans are an automated tool that detect and probe devices on your network then try to determine the vendor and version of all hardware and software and finally identify if any patches are missing from those devices.  The vulnerability scan vendors work closely with device and software vendors to maintain comprehensive databases of products and vulnerabilities and how to detect them.

The first phase of the vulnerability scan is a discovery scan, where every device on the network is identified – as far as possible.  You can also perform a discover scan using a tool like NMAP which will identify active IP addresses on the network and any open ports on those devices.  Whether you use a commercial vulnerability scanner or a tool like NMAP, a regular check for unexpected or unknown network devices is an essential security hygiene habit.

There are two types of vulnerability scan, internal and external.

What are external vulnerability scans

External vulnerability scans are usually provided as a service by scanning vendors.  Customers provide the list of their public IP addresses and the scanning service will interact with each IP address and attempt to identify the devices and software versions it can detect.  In effect the scan performs the first reconnaissance step of the cyber kill chain– duplicating the steps hackers would take in order to determine what software can be detected and any unpatched vulnerabilities that can be found.

The scans typically take several hours to run due to the huge number of permutations they need to try in order to detect the software and devices and then check for patches that are missing.

Once the scan is completed you will receive a report that details the devices and software that was detected and any missing patches or configuration errors that were discovered.  If run on a regular basis the report will help busy systems administrators know which systems need patching in order to keep the network secure.

What are internal vulnerability scans?

Internal vulnerability scans perform the same function as the external scans and produce similar reports.  However, because they need to take place behind your firewall and include every segment of the network, the scan needs to be performed by appliances or virtual servers running within your network.  These are usually provided by the same vendor who supplies the external scans.

If you have successfully hardened your public servers, it may be that the external scan will not be able to correctly identify the software versions or missing patches.  In this case, the internal scanner will be able to correctly identify any missing patches on those systems.

Internal and External scans work together and both are needed to ensure all the devices on your network are fully detected and checked.

Network Managers need to be able to answer two important questions – what devices are connected to my network and are those devices patched and secure?  Regular vulnerability scans and discovery scans of every network segment are essential tools to be able to answer that question.