Internal vs. External Vulnerability Scans

By Fortra's Digital Defense

As a merchant, you are likely familiar with the strict Payment Card Industry Data Security Standard (PCI DSS) requirements set by the PCI Security Standards Council (SSC). Failure to adhere to PCI compliance standards creates vulnerabilities within your business’s network that could result in a loss of sensitive credit cardholder data from consumers and malicious intrusion into your business network. The best way to protect your clients and business while remaining within PCI compliance is through vulnerability scanning.

These scans check for open ports, a lack of patching, and other ways intruders with malicious intent can access sensitive information collected by businesses. There are two types of vulnerability scans: internal scanning and external scanning. Though they each offer a look into your network security vulnerabilities, you need to perform both to ensure your business’s ability to keep unauthorized people out of your system while meeting PCI DSS standards.


What is an Internal Vulnerability Scan?

An internal vulnerability scan is a process of searching for vulnerabilities from within the business network. A common misconception is that data breaches occur outside an organization, but trouble can occur inside the system as well. Internal network vulnerability scans thoroughly check the company’s IT infrastructure for vulnerabilities or holes in the firewall that leave it susceptible to an attack or breach from the inside.

All businesses that use credit card payment processes must be in compliance with PCI DSS guidelines, which requires internal scanning for vulnerabilities to their systems. This action protects the business, payment provider, and clients against breaches. Still, every business should conduct internal vulnerability scans because they ensure your network is secure at all times.


How Internal Scans Benefit Vulnerability Management

These types of vulnerability scanners can tell a user whether:

  • The system has a vulnerability from an intruder who has already gotten past the initial network security.
  • The system has a virus or malware that someone downloads from the internet or USB port. Once inside, the malicious software can identify and access other services on the network that were not visible on the internet.
  • The business has been threatened by a disgruntled employee or contractor who was given access to the network for work.

Internal vulnerability scanners assess information from within a network. Many system threats and network exploitations come from individuals within a company. Completing an internal vulnerability scan can provide companies the ability to mitigate vulnerabilities against:

Network breaches

A network breach can come from an outside intruder. These sources including malware and viruses have already gotten past any initial network security that would typically keep them away.

Accidental attacks

Accidental attacks from employees can also occur through common breaches such as:

  • Enabling phishing attempts and share passwords
  • Unlocking devices and keeping them open for others to access
  • Unsecured WiFi connection
  • Throwing files away without shredding valuable information
  • Employees who are unfamiliar with certain technology

Intentional attacks

  • Intentional attack that come from sources within the company such as:
  • Angered employees or partners
  • Recently terminated workers
  • Excessive privileges in users


How Often Should Internal Scans Be Performed?

Businesses should use a vulnerability scanner on their system at least once quarterly to comply with PCI regulations. This frequency will give them a decent understanding of their system’s current state, though it’s not a practical timeline for a consistent defense against cyber attackers who continually develop new ways to breach networks. It’s better to use vulnerability scanners at least once a month to protect assets and patch up holes in the software and server.


Credentialed vs. Non-Credentialed Scans

The best way to cover all bases for data protection is to use both credentialed and non-credentialed vulnerability scanners. Credentialed scanning allows users to log into the system and see its vulnerabilities from a trusted source’s perspective. This process identifies vulnerabilities from workstations, network hosts, and servers while giving users a better understanding of the system’s patch management and configurations.

A non-credentialed scan offers the perspective of someone who infiltrated the system. Users can remotely check for security risks like unsecured web servers and misconfigured firewalls. By employing both types of scans, you can be sure sensitive information is safe on your networks.


What is an External Vulnerability Scan?

An external vulnerability scan is an effective way to find and fix possible vulnerabilities. Security teams will use external vulnerability scanning tools to scan the network perimeter to ensure a secure cardholder data environment (CDE). The scanning is completed outside the network and targets the IT infrastructure exposed to an internet browser, online pages, web applications, systems, and more.

During the process, a third-party vulnerability scanner will target a network’s IP addresses to uncover vulnerabilities, including open internet ports from the network perimeter. This type of scan alerts businesses to the strength of their external protective measures. Many companies understand the importance of conducting an external vulnerability assessment because they assume a malicious intruder will infiltrate their systems from the outside.


How External Scans Benefit Vulnerability Management

Both types of scans allow businesses to take a proactive stance on their internal network security. The external scan will alert them to potential weaknesses that could cause hacking or a data breach. This scan will also identify a new service or server setup since the previous scan and determine whether they pose a threat.

Other benefits of using an external vulnerability scanning tool are:

  • It identifies any service monitoring unsecured transfer protocols.
  • It identifies servers with outdated services.


How Often Should External Scans Be Performed?

The standard frequency for external scanning is once every quarter. Still, it is ideal to employ vulnerability scanners whenever there is a significant change to the system or IT network. If a business requires a high security level or needs to address threats directed to the organization, security experts may need to scan monthly.


Why Both Scans are Critical to Your Business

Technology is ever-evolving, and with the latest advancements, hackers and malware developers continue to find new ways to infiltrate a network. The more channels they discover in a system past its security and firewalls, the less effective the previous security measures will be—that is, unless the security team takes proactive measures. Businesses must protect sensitive information, and they can increase data security with both internal and external vulnerability scans.

Any organization’s system could be at risk if it has holes in its firewalls that leave it susceptible to hacking or data theft, but it can also be vulnerable because of a disgruntled employee or a virus that someone unintentionally downloads onto one of the company computers. The system will be susceptible either way. The best way to protect networks is by including an internal and external scan into the business’s vulnerability management plan.

Cyber threats are always on the rise, so there’s no need to debate internal vs. external scanning. Both are necessary to protect a business’s sensitive information and services.

About Digital Defense

Our SaaS platform supports Fortra Vulnerability Management, Web Application Scanning, and Active Threat Sweep that together provide:

  • Asset discovery and tracking
  • OS and web application risk assessment
  • Targeted malware threat assessment
  • Machine learning features that leverage threat intelligence
  • Agentless & agent-based scanning
  • Penetration testing for networks, mobile applications, and web applications
  • Compliance management. One of the world’s longest tenured PCI-Approved Scanning Vendors

Our SaaS platform virtually eliminates false-positives associated with legacy vulnerability management solutions, while also automating the tracking of dynamic and transient assets and prioritizing results based on business criticality.

About the Author

Mieng Lim, Vice President, Product Management has served as a security expert for Digital Defense, Inc. since 2001. Mieng takes a consultative approach to security having held prior roles in Operations, Quality Assurance and Sales Engineering. Mieng seamlessly blends technical expertise with real world scenarios to provide an entertaining and educational cyber security perspective. Mieng serves a mentor and STEM advocate encouraging young women to pursue careers in security and technology and volunteers with BSides San Antonio as a staff member. Mieng holds a Bachelor’s Degree in Computer Science with Minor in Sociology from Trinity University. 

Get PCI Assistance with a PCI Toolkit

Stay in compliance with this PCI toolkit.  These tools can help with current PCI standards as well as any future updates.

Get The PCI Toolkit

Share This