Vulnerability Scan: But I Have Patch Management, Why Do I Need a Scan?


“I don’t need a vulnerability scan of our network, everything is patched. We have patch management!”

Have you thought those words, even said them aloud? Too many cyber security terms are thrown around these days, their meaning confused and watered down.

In this case, what you don’t know CAN hurt you.

Patch Management Works, Where Configured.

VMWare hosts are a GREAT example of this issue. While your patch management may be updating every Windows and Linux host you have, we often find organizations overlook systems like the VMWare host itself. Older versions of VMWare have vulnerabilities that allow attackers to gain access as root to the VMWare base system, from there they can easily access the virtual hosts. Before you blame VMWare, realize they patched those holes a long time ago and they let everyone know by releasing updates. You just need to patch or upgrade to the latest version. In our experience, most organizations we have helped didn’t have VMWare in their patch management cycle until after a security assessment or vulnerability scan.


Network Gear

Oh yeah… the core switch or router, or worse yet, the firewall. This is a common issue we find in many customer’s networks. No one wants to take the chance of the network going down, and so network gear gets skipped time and time again. Then a vulnerability scan shows that your switches or routers are 3 years out of patch and vulnerable to a host of public exploits that hackers can use to gain access, or worse, shut down your network.

Configuration Issues

The multitude of SSL vulnerabilities in 2016 is a great example of how patch management isn’t always enough. With our vulnerability scanning service we have found a large number of customer servers configured with vulnerable ssl settings. From Poodle to Heartbleed, these “patched” but misconfigured servers may still be lurking in your infrastructure.

Vulnerability scans often reveal unwelcome surprises.


Internal and External

Most Hackers and ransomware land inside your corporate network. That means a vulnerability scan of your internal network is as critical as a scan on your external assets. Once a phishing email lands the hacker or malware on a machine inside your network, they get to work scanning for vulnerabilities. If you have an IDS for network monitoring you’ll catch it right away, if not, you may find out after they have already spread.

Vulnerability Scan Regularly to Find What You’ve Missed

One and done is not the way to go. You have a patch schedule; it pays to create a vulnerability scanning schedule. Security minded organizations like to scan once a month after patches have all been applied, for others quarterly is enough. Whatever your schedule, don’t let it be just once.

About Patrick Stump

The CEO and founder of Roka Com, Patrick has been a key player in both offensive cyber intrusion and security operations with multiple branches and agencies of the United States Government (USG), the military, and commercial industry.

Connect with Patrick on LinkedIn