1.Test what matters
Many people focus on scanning just what’s required to check that box for compliance (i.e. the cardholder data environment) and nothing else, however if there is a vulnerability a hacker will find it and the consequences can be devastating. Start by testing your critical business systems and work your way out from there.
2. Scan your entire network
Scanning a flat network is very different to scanning a complex layered or segmented network, especially when there are multiple locations involved. It might require you to physically move your scanning system or add various scanner sensors throughout your network, but it’s essential you look at your network as a whole and make sure you are scanning all areas.
3.Don’t skip DOS
Scanner policies that include DOS checks do indeed create risks but they also find flaws that “safe” policies wont. Not scanning critical systems to prevent downtime is bad practice and can prevent you from having optimum network security.
4.Vulnerability scanners do not find everything
Scanners are fantastic for automated scheduled scanning which can be carried out on a regular basis, however this should be combined with a well-trained eye from time to time.
5.You can’t say you have looked at everything…
Unless you have performed authenticated scans of all possible network hosts, to include servers, workstations and databases etc.
6.Scans are time sensitive
Threats, security operations, and even network architectures are always in a state of flux. What was or wasn’t a vulnerability yesterday may be something totally different today. Run regular scans to keep your network up to date with the latest threats.
7.Plan in advance
Improperly set expectations is a sure-fire way to let others down and make mistakes. Know what you’re testing and when you’ll be testing and ensure you communicate with everyone involved.
For further advice on vulnerability testing speak to one of our friendly engineers on 0845 370 2202. Signal Networks is proud to be partnered with some of the best security vendors in addition to having an in-house team of Certified Ethical Hackers, to ensure all advice is impartial and tailored to suit each individual organisations requirements.