I.S. Partners Logo
Compliance Services

When, Why, and How Often Should Vulnerability Scanning be Performed? 

Author Picture

Updated on July 26, 2022 by Mike Mariano

When you use a computer program to assess known weaknesses of all the computers, multi-function printers, switches, routers, and all of the software applications running on those devices within your network, you are conducting a vulnerability scan. Most IT professionals recommend that a business run a quarterly vulnerability scan on their entire network, however, if your business contains any information that may be considered valuable assets, then at a minimum, you may want to be running vulnerability scans once a month. That being said, once a full risk assessment has been conducted on your entire information infrastructure, you may realize that your most critical assets should be scanned for vulnerabilities much more frequently than once a month. 

Vulnerability scanning software essentially finds any vulnerabilities in your network and software applications, and when a vulnerability is found, the software will patch and remediate it to better protect the network from cyber threats like data breaches and hacks. In an ideal world, these types of vulnerabilities would not exist in software applications running on the computers, printers, switches, and routers of high-functioning IT networks, however, software vulnerabilities are inevitable. Software vulnerabilities are caused simply by software developers rushing products to market and human error. If these vulnerabilities are not addressed immediately, then hackers can access them to gain entry to your entire network.  

Aside from the patching of identified vulnerabilities, a Network Administrator must also identify misconfigurations in the network. Misconfigured settings in a network working in tandem with missing patches can make a network even more vulnerable to cyber-attacks. It is not enough to simply download and install patches. If the settings are misconfigured, then the vulnerability could persist even if all the proper patches are downloaded and installed as soon as they are available.  

Here are a few examples of misconfigured or sub-optimal settings in a network. 

  • Administrator credentials are still set to defaults. 
  • Specific ports left open that should be closed. 
  • Incorrect permissions for users to have access to parts of the network they should not. 

Although settings need to be manually changed by a Network Administrator, a proper vulnerability scanning software will not only download and install patches, but it will also identify misconfigured and sub-optimal settings within the network that the Administrator should be concerned with and that should be changed.  

How Often Should Vulnerability Scans be Run? 

Most IT professionals agree that vulnerability scans should be conducted quarterly, and some say that to be even better-protected vulnerability scans should be run monthly. 

Why Should Vulnerability Scans be Conducted? 

In addition to quarterly scans, there are some instances where you may want to consider running a vulnerability scan that is not based on time. For example, there are five other instances where a company may want to consider running a vulnerability scan. Those instances are based on changes to the system, regular hygiene, compliance, resources, and addressing emerging threats.  

Scans After Changes Have Been Made to the System  

If your company is constantly making changes to its IT infrastructure, then you may need to run vulnerability scans more frequently, especially after big changes. Any change in the IT infrastructure of a company can introduce a component with vulnerabilities or a configuration mistake that could leave the entire network open to cyber-attacks. This is why it would be sensible to run a vulnerability scan after even minor changes have been made to your system. 

Change-based vulnerability scans are also not just for changes made to the physical IT infrastructure when new components are added, they can be necessary when deploying code or changing web applications and cloud infrastructure as well.  

For minor changes, it may be perfectly acceptable to use automated vulnerability scanning tools, however, for large and complex system changes, like switching cloud service providers, you may want to consider conducting a full-on penetration test.  

Regular Hygiene Scans 

Vulnerability scans based on hygiene may still be considered chronological. These are the regular scans that your company conducts to stay up to date on any new patches available for new vulnerabilities that are discovered. Just like taking care of your personal hygiene, you need to take care of the hygiene of your network.  

For hygiene-based scans, it is recommended that your external-facing infrastructure is scanned once a month, and if your company possesses information that could be considered prime targets for cybercriminals, then weekly vulnerability scans could be necessary.  

Also consider that if you have extremely sensitive information contained in the network that could be considered a high-value asset, you may even want to isolate that portion of the network to run daily individual scans on the high-value assets within the network.  

Compliance Scans 

Depending on the nature of your business, there may be some regulatory requirements that you must fulfil when it comes to your network systems. For example, if you run an e-commerce website, then your company may be required to comply with the Payment Card Industry Data Security Standard.  

The PCI DSS dictates that any company that handles cardholder data used to make payments for goods and services must comply with all PCI DSS requirements including full system vulnerability scans every 90-days. 

As we discussed earlier, vulnerability scans every 90-days may be sufficient for some businesses, however, for others, 90-day scans may not be enough. Using 90-day windows as the baseline, it is up to you to determine whether or not you need monthly or even weekly vulnerability scans due to the sensitivity of your information.  

Do not simply fall for the one size fits all approach that compliance-based scanning practices recommend.  

Resource Scans 

Resource scans are not so much based on when to perform a vulnerability scan, it is more about what to do with the information once the scan is complete. Vulnerability scans should be conducted regularly, but it takes immense time and resources to filter through all the information, identify threats and solutions, and implement those solutions.  

This is why you may have to prioritize vulnerabilities based on threat levels to make sure you are allocating your resources of time and personnel accordingly to address the most critical and time-sensitive vulnerabilities first. 

Scans to Address Emerging Threats 

If you are running monthly vulnerability scans for your system, that is great, but what happens if a new threat emerges a day after you have completed your monthly scan? The vulnerability could potentially leave you exposed for the 29 days leading up to your next scan. 

This is why some vulnerability scanning tools will store all the information retrieved from your most recent scan, and if new vulnerabilities emerge that may impact your system, the software will notify you that a new scan should be conducted to address an emerging threat.

Related article: What is the Difference Between Pen Testing and Vulnerability Scans? 

Get a Quote

About The Author

Author Picture

Mike Mariano

Michael is the Chief Information Security Officer at IS Partners as well as the leader of the penetration testing practice for AWA International. Michael has 15+ years’ experience in internal IT operations with 7 years of being involved in various levels of IT auditing with experience with PCI DSS, SOC 2, HITRUST CSF, Risk Assessments and experience working with Security Frameworks (such as ISO and NIST). Michael has worked with/at companies from 10 to 50,000 employees in size. Prior to joining IS Partners, Michael worked as the IT Operations Manager at AVASEK an MSP IS Security firm where he managed a team of six technicians to service 1500 client endpoints as well as the firm's Cloud Hosting Solution. while at AVASEK, Michael also performed gap assessments against HIPPA and NIST Security Frameworks and was a member of the incident response team. Michael’s specialties are IT Security and IT Management. He is experienced in performing security Risk Assessments, enforcing security policies, handling confidential information, deploying and administering network and application security systems, administrating SaaS products, Active Directory (AD), firewalls, routers, and VPN. Michael is HITRUST CCSFP and AWS CP Certified and has maintained various CompTIA Certifications over his career. He is currently working to achieve his GIAC GWAP and OSCP Certification in 2020.

CMMC 1.0 vs 2.0: The Progression of Cybersecurity Measures
CMMC 1.0 vs 2.0: The Progression of Cybersecurity Measures
April 19, 2024
Who Needs CMMC Certification? Which CMMC Level Do You Need?
Who Needs CMMC Certification? Which CMMC Level Do You Need?
April 19, 2024
How to Protect Your Company from Social Engineering Attacks
How to Protect Your Company from Social Engineering Attacks
May 5, 2023
CISSP - Certified Information Systems Security Professional
CEH - Certified Ethical Hacker
CISM - Certified Information Security Manager

Request a Quote

Contact AWA International to discuss the cybersecurity solutions that would best fit your organization's compliance goals.

Scroll to Top