Blog: Scanning

By: (CISA, CISSP, Security+)

Well, maybe it used to be the question, but it is no longer a question to be asked. Scanning your network is an essential part of your security protocol to ensure that customer information is secured. So, since I need to scan my systems for vulnerabilities, where do I start?

Determine the Best Product to Scan Your System

There are many good products on the market to test for system vulnerabilities. The best method is to review different products and decide which product will take care of your needs. Not only does the product need to give you information on what vulnerabilities exist on your network, but it also needs to provide you with reporting that is easy for you to read and understand. A report is only good if you can take the information and make decisions on how to remediate the findings that it observes.

Rely on Network Vendors to Conduct Your Scanning

You may be thinking, I do not have the expertise to conduct these scans and read the reports, so what do I do now? This is where you will have to rely on a network vendor or third-party to conduct your scanning. You also need to ensure you have a contract and have conducted your due diligence with this vendor because they will need an administrative account on your network to perform an administrative vulnerability scan. User accounts can be used to scan the systems but will not give you a full representation of all your vulnerabilities. The goal is to mitigate as many vulnerabilities as possible, and a good administrative scan will help you reach this goal.

Remediate Vulnerabilities on the Network

Now that I have all this information, what do I do? REMEDIATE and DOCUMENT. Yes, those two words you always love to hear that strike fear in the hearts of man. Most, if not all, scanning software will rate the criticality of each vulnerability that is found on the network. Always start with the most critical and work your way down the list. Findings will require a knowledge of the systems you are running and an understanding of how to remediate the vulnerability. If you do not have the expertise to take care of these issues, a network vendor will need to be used at this point. Some findings require changes in Active Directory, registry settings or Group Policy. When changing these settings, making the wrong move can cause tremendous damage to your network. If one of these settings need to be changed, it is always a good practice to change the setting for one computer and test the change to ensure it does not cause issues with existing applications.

Sometimes settings cannot be changed due to the harm it causes in the system. If this is the case, document, document, document. Documentation needs to be completed that reveals the issue when you will resolve the issue, how the issue was resolved, and then verify that the issue was resolved.

Verification of the resolution is a critical part of the process. If a change is made in Active Directory, how do I know that the change has happened? If there is a change in Group Policy, how do I know if it has propagated to all the systems with the vulnerability? There are multiple ways to verify different vulnerabilities have been remediated, but the best way is to rerun a scan against the system.

Continue to Scan Your System

So how often do I need to run this scan? The frequency of the scan will be determined by your risk assessment and the size and complexity of your system. Sound familiar? Sounds like a statement that may come from your regulator or through guidance, doesn't it? If my system is not that complex, I would not have to scan frequently, but if it is complex, open to the outside world, and includes multiple users, I would need to scan more frequently.

Keep Up to Date with New Vulnerabilities

New vulnerabilities are being developed all the time, and a system that is scanned and is secure one day may be the target of a new vulnerability the next day. When you are between scans, be sure and keep yourself aware of any new vulnerabilities that may arise, especially those vulnerabilities that target your systems. Keep up to date by receiving emails from publications, vendors and regulators, and attending webinars and seminars that deal with information technology. Sound like a full-time job? It is!

So, to scan or not to scan can never be the question again.


 

One of our network support customers reported that their Kyocera Task Alfa multi-function device was taking 10-15 minutes to copy scanned documents to their network folder. After testing the scan function for about 30 minutes, I was unable to reproduce the problem. I moved on to another task, at that location and about 20 minutes later I heard a user complain that her documents didn't show up in her folder. I began investigating, since I could not reproduce the issue. As I looked at the Kyocera job logs I heard the faint sound of a phone error message "You must first dial a 1 and area code". I went into the fax job and found a fax was trying to send and kept failing and once the job failed completely the scanned items appeared in the network folder. The customer has the Kyocera configured to send faxes directly from their desktop. I determined who the user was that was trying to fax and found they had been trying to send the fax for a couple of days with errors. It appears as long as the Kyocera Task Alfa is trying to send a fax it does not allow scans to be transported to the network. They are held in memory until the fax job completes.


 

A user a one of our client's site was experienc an issue where a Symantec Antivirus full scan was started when the user logged in every morning.  The scan was scheduled to run at 1:00 AM, but it seemed to be ignoring the schedule.  The problem was caused by the computer being in sleep mode during the evening when the scan was scheduled to run.  The scheduled scan would not bring the computer out of sleep mode to run the scan at the scheduled time.  As soon as the started to login the computer would come out of sleep mode and the scan would start.  The power saving options are a per use setting.  Without group policies in place, this setting must be completed for each user on each computer.


 

The Xerox WorkCentre Pro line of multi-function printers has network scanning capabilities.  This allows users to scan a document into a PDF and save it in a number of network directories.  Well as it turns out that number is five.  You can set one default destination and up to four alternate destination.  So if you have five people in a branch then your fine, otherwise you’re not so fine.  Well in Xerox’s infinite wisdom, they did manage to work around this issue by allowing each scanning template to be saved it a specified subfolder within a destination directory.  Therefore in order to allow users to scan to a document to their UserDocs folder, you need to do the following:

  1. Open or create the branch directory where the WorkCentre was installed
  2. Create a new folder and name it “Scans”
  3. In Scans Properties, give the domain user “Xerox” read/write/modify rights to the folder
  4. In Scans, and create a folder for each user who will use the network scanning feature.  Make the username the same as the folder name
  5. Create a shortcut of each folder and put it into the respective user’s UserDocs folder.  Rename the shortcut “Xerox Scans”
  6. Access the Xerox Web UI for the respective WorkCentre and click the Scan tab
  7. Create a new template with the username as the template name
  8. Under Name and Format, click edit
  9. Select a descriptive name for the document name and set the format as PDF
  10. Under File, edit the default destination
  11. Set the Filing Policy to “Add Date to Name”
  12. Under Document Path, enter the username in the Optional field.  This is the subfolder path the documents will be saved in.
  13. Click Apply