Westpoint offers its clients a range of managed vulnerability scanning services. Below is a collection of Frequently Asked Questions (FAQ) that provide more detail about the subject in general, and our services.

1.       What is vulnerability scanning?

Vulnerability scanning involves looking for security 'loopholes' on your Internet servers on an ongoing basis.

Its purpose is to regularly test your Internet servers to verify that they are as securely configured as you think they are. Broadly these tests can be split into two parts: -

• TCP and UDP port scanning your server to determine what services it is providing, intentionally or otherwise. For example, you may have a backdoor on your system offering a file transfer service that you didn't know about, perhaps opened by the presence of a Trojan horse program.
• Application layer scanning to determine if your application, e.g. web server, mail server, has any loopholes such as security bugs that haven't been patched or other anomalies that could lead to unauthorised access.

The information gathered from these scans is then provided to you in a report.

2.       Why do we need a vulnerability scan?

To assist in preventing your business from suffering adverse business impacts such as reputation loss/brand devaluing, legal liability, revenue loss, customer dissatisfaction, service unreliability etc.

Connecting your server to the Internet leaves it open to misuse, either accidental or deliberate. For example, a hacker may be able to deface your web server, steal information from it or even use it as a springboard from which to attack other organisations. Hacker attacks are becoming more prevalent and the number of exploits they can use is increasing every day. Today security breaches even get mainstream media coverage. Whilst this helps educate people it also adds to the hacker's notoriety and kudos. Having your Internet server vulnerability scanned on a regular basis helps to minimise the likelihood of such misuse by informing you of any loopholes in your server's security, or those devices that protect them, such as firewalls. Our vulnerability scanning is performed from the Internet, providing a 'hacker's-eye view' of your server.

3.       Why is vulnerability scanning an ongoing service?

Because the 'threat landscape' is dynamic.

When you initially deployed your Internet server you would expect it to be 'secure'. Since then new hacker exploits have been appearing every day and software vendors are continually reporting new security bugs. Are you even positive the last set of changes you made to your server's or firewall's configuration were error free? The point here is that assessing something as 'secure' one day does not mean it will remain so. This is why our vulnerability scans are ongoing. Westpoint scans normally occur at monthly intervals. It is possible to have more frequent scans if you wish. We have chosen the one-month period as a practical compromise between operational requirements and continuous scanning (which is provided by our EnterprisePlus scan).

4.       Why do we need vulnerability scanning when we've got security policies, filtering routers, firewalls and intrusion detection?

You need vulnerability scanning to ensure that your security policies, filtering routers, firewalls etc. are all working correctly and are effective.

Vulnerability scanning complements your security policy. Also all the network controls (i.e. filtering routers and firewalls) in the world can't protect against attacks conducted at the application 'layer'. Essentially what our service helps guard against is your company suffering a loss due to exploitable software bugs and human error. These could occur, for example, via the latest security bug in your web server or a misconfiguration of your firewall or server by a systems operator. It's the problems you don't know about that we're looking for - accidents are rarely planned. By regularly checking your server's security status you can ensure that your security 'posture' is as intended and reduce the window of opportunity available to malicious attackers.

An interesting by-product of vulnerability scanning is that it should trigger your intrusion detection tools ensuring they too are effective.

5.       What do we get for our money?

It depends what you pay for. All scan packages operate over a calendar year and consists of twelve monthly scans, each one generating a report, which is sent to you securely. Scans are charged per IP address. This way we can offer you the lowest entry price and ensure you don't have to pay for more service than you really need. We offer four vulnerability scanning packages:

• Enterprise scan. This scan is suitable for all servers. A full vulnerability scan of your Internet server that checks all 64K TCP ports; well known UDP services, Worms and Trojans; O/S layer checks and a thousand application layer checks, e.g. web, dns, and ftp.
• EnterprisePlus scan. This scan is suitable for your most critical and high profile servers. Checks are performed as above except additional tests are executed as soon as new vulnerabilities are discovered. You are sent an SMS/pager message if the vulnerability is found on your server(s). Inter-month activity is summarised in your standard monthly report.
• Subnet scan. This scan is designed to ensure that no unauthorised devices appear on your Internet facing subnets. It will detect, for example, if your engineers have accidentally misconnected devices or VLANs have malfunctioned. This scan checks IP address ranges for the presence of devices such as servers, routers, PCs etc. It scans a range of well known TCP and UDP ports including those of Worms and Trojans.
• Desktop scan. This scan is suitable for home workers or those with 'always on' Internet connections such as provided by ADSL or cable modems. Each quarter a TCP and UDP port scan of popular services occurs including those on which Worms and Trojans run.

All are very cost effective, the Enterprise scan costing a fraction of the price of a penetration test.

6.       What's in these monthly reports?

The monthly reports only contain information about what we've discovered.

Our monthly reports are not cluttered up with extraneous information like exhaustive descriptions of all the tests we perform or our testing ethos. Typically they are a couple of pages long. If you're tasked with reading through these reports each month we want to ensure the information is presented to you in a concise and efficient manner.

The TCP and UDP port scan section of the report lists the services we found to respond to our queries and any textual response the server may have additionally returned. The application layer scan section of the report details the vulnerability discovered, its relative severity, offers some corrective advice and, if available, indicates relevant references. Management and historical statistics are also provided. The whole report is delivered in an HTML or XML archive. Sample monthly Enterprise and Subnet scan reports can be viewed at http://www.westpoint.ltd.uk/example-reports/samplereport_westpoint/index.htm.

7.       Who gets the reports?

Whoever you say.

You inform us which individuals in your organisation need to see the reports and we'll email the report to them securely. Individuals can receive reports for many servers and, likewise, the report for a particular server can be sent to many individuals.

8.       Which tools do you use and do you keep up to date with the latest hacks, bugs and security developments?

We use a combination of tools including commercial, open source and in-house developed ones.

In this way we are able to stay abreast of the latest security vulnerabilities. At the same time by developing our own software we are able to plug the weaknesses and gaps left by the other packages. Using this method we are also able to react to fast moving situations by writing tests that will cater for a new vulnerability before the commercial packages have caught up.

9.       What experience do you have at Westpoint?

Westpoint is a relatively young company formed from the combination of a software development house and a security consultancy. The founders of these two companies formed Westpoint Ltd to fill a need in the Internet security market. By utilising the skills and experience of its parent companies Westpoint is able to provide a service based on twelve years of enterprise Internet security experience and seventeen years of software consultancy and development.

10.     How many and what type of clients do you have?

Westpoint has a growing client list ranging from small single server operations to large multi-nationals with hundreds of servers spread all over the globe. We have clients in sectors such as finance, media, utilities, telecommunications and local government.

11.     Why should we use your service when we can do it ourselves?

For two reasons: -

• It's not your core business but it is ours.
• It's more cost effective for you.

To perform this service in house would mean committing specialist resources to it. Vulnerability scanning requires people with in-depth security knowledge. Staff you use to perform vulnerability scanning will be tied up in this non-core business activity when they could be doing something more productive for your organisation.

By outsourcing the service to us you also avoid the capital and recurring costs of maintaining this capability, such as staff, hardware, software tools, bandwidth, management overhead etc. Also you don't have to worry about placing (and motivating) employees in a role that is essentially mundane and repetitive. By employing a specialist company you get the quality of service you need in a cost effective manner. Westpoint will never be "too busy" or "forget" to perform the vulnerability scan because it is our core business. Westpoint's service is always kept up to date with the latest security developments and is performed with minimal disruption to your organisation.

Westpoint's vulnerability assessment services are unique in that the information presented to customers is carefully managed. For example, we remove false positives from our reports and have a separate area of the report where 'stoplisted' vulnerabilities can be placed. Stoplisted vulnerabilities are vulnerabilities that are present on your system but are considered by you to be unimportant. These vulnerabilities do not contribute to the overall statistics and have an audit trail attached to them. Westpoint recognise that your staff resources are valuable and, in some cases, expensive. The above features of our reports ensure your staff's time is more efficiently utilised which in turn brings savings to your operating costs.

12.     What's the difference between vulnerability scanning and a penetration test?

The scope of the tests conducted, the level of manual effort involved and, definitely, cost. Another big discriminator is how current the information is in these reports.

The Westpoint vulnerability scan is predominantly an automated service (manual effort is required to remove false positives) run on a regular basis, usually once per month, that is continually updated with the latest vulnerability information. A penetration test is a labour intensive manual attempt by one or more individuals to see how far they can access your systems by whatever means necessary. A genuine penetration test would go beyond the technical aspects of security and would also examine social engineering and even physical exploits. Predictably the penetration test will provide more information that a vulnerability scan, is much more expensive and is usually performed far less often. The drawback to penetration tests is that they are 'snapshots' of your server's security status that can be outdated the day after their completion. This is because new vulnerabilities are occurring daily and support staff can make configuration errors daily.

Most organisations take both services to get the best of both worlds, often from different suppliers.

13.     Will your scans damage our data?

No, our scans are non-destructive. They do not modify or delete any data on your servers.

By default all destructive tests are turned off within our scans. Additionally our tests do not copy or retain any information that is held on your server, sensitive or otherwise.

14.     If you find anything wrong with out web site can you help us fix it?

Yes. During office hours the phones are manned and you can talk to support staff if you need assistance with the report and its findings. We also work with you during the early stages of your contract to perfect the removal of false positives classification of 'stoplisted' vulnerabilities.

In order to maintain our objectivity Westpoint does not offer consultancy services as a core business activity. However, if you require extensive application of security controls or re-engineering of your security posture we can still help by putting you in touch with one of our excellent resellers or business partners.

15.     What information do you need from us?

Not much. We need a little information from you and you need to carry out a couple of simple tasks.

All we need is the IP addresses and domain names of your Internet servers, the TCP port(s) on which your web server(s) run(s), a convenient time at which you want your monthly scans to occur and a list of the people who you want to receive the monthly reports. What you must ensure is that your operations staff and/or server hosting company are aware that we will be scanning your server(s) on your behalf.