Page 1169 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1169

vulnerabilities, such as if the system is up-to-date with current
               patches. It can also discover potentially malicious systems on a

               network that are using IP probes and ping sweeps.

               It’s important to realize that vulnerability scanners do more than just
               check unpatched systems. For example, if a system is running a
               database server application, scanners can check the database for
               default passwords with default accounts. Similarly, if a system is
               hosting a website, scanners can check the website to determine if it is

               using input validation techniques to prevent different types of
               injection attacks such as SQL injection or cross-site scripting.

               In some large organizations, a dedicated security team will perform
               regular vulnerability scans using available tools. In smaller
               organizations, an IT or security administrator may perform the scans
               as part of their other responsibilities. Remember, though, if the person
               responsible for deploying patches is also responsible for running scans

               to check for patches, it represents a potential conflict. If something
               prevents an administrator from deploying patches, the administrator
               can also skip the scan that would otherwise detect the unpatched
               systems.

               Scanners include the ability to generate reports identifying any
               vulnerabilities they discover. The reports may recommend applying
               patches or making specific configuration or security setting changes to

               improve or impose security. Obviously, simply recommending
               applying patches doesn’t reduce the vulnerabilities. Administrators
               need to take steps to apply the patches.

               However, there may be situations where it isn’t feasible or desirable to
               do so. For example, if a patch fixing a minor security issue breaks an
               application on a system, management may decide not to implement
               the fix until developers create a workaround. The vulnerability scanner

               will regularly report the vulnerability, even though the organization
               has addressed the risk.



                             Management can choose to accept a risk rather than


                  mitigate it. Any risk that remains after applying a control is
   1164   1165   1166   1167   1168   1169   1170   1171   1172   1173   1174