Lock your car and hide your valuables. Lock your doors and windows. Use an automated scanner on your website often and fix any problems. Wait, what
The first two pieces of advice are something that has been repeated over and over so many times that it has become second nature to almost everyone. We do it without even thinking about it. Don’t believe me? Think about how many times you or someone you know has locked themselves out of their home or car. The third piece of advice is a sign of the times. Our valuables aren’t just in the physical world anymore and haven’t been for a long time.
But how often do you hear people in the information security industry say you should scan your website with an automated scanner? Why? Because to us it doesn’t really address how attackers will penetrate your website’s defenses. We bring up things like APT (Advanced Persistent Threat), and ninja squirrel attackers that can cut through any defense you can put in place. I’m not saying that these types of individuals and attacks don’t exist, obviously they do, but what seems to get left out of discussions about whether automated scanning is worthwhile is the fact that the vast majority of systems are targeted randomly, much like cars that have their windows rolled down, doors unlocked or a $400 iPhone on the seat. Victims of crimes against property are almost always randomly selected. If they were to actually follow the first two items of advice above then the attackers will almost surely move on to quicker and easier targets. That’s what you want, for them to pick somebody else. Automated scanning will help you help them do that. If you scan your site often (i.e. more than twice a year) and fix any “low hanging fruit” then attackers that are randomly scanning the Internet looking for open doors and windows will most likely skip over your site and move on to someone else. This gives you time to initiate more in-depth assessments and penetration tests of your site and applications on an annual or, better yet, semi-annual basis.
Are recurring automated scans all you’ll ever need to do? No they’re not. There is a place for the annual or semi-annual penetration test, security assessment, red team exercise, whatever you want to call it. But recurring scans can:
- Shorten those more in-depth scans by providing your outside auditors/consultants with a wealth of data about your overall security posture
- Provide your website and web application developers with a snapshot in time of how things they may have done in the past have affected (positively or negatively) the safety of your website(s)
- Gives you a competitive edge as you can tell your customers that you take security seriously and are proactively working to protect them and their data
So what are you waiting for? Call your information security consultant today to set up a schedule for automated scans and let them help you lock your doors and windows.