Internal vs External Vulnerability Scanning:Why you need both.

​The Ins and Outs of Vulnerability Scanning

If you’re an RIA or hedge fund tackling SEC/State-board cybersecurity compliance, you’re likely to hear the word “scan” from your IT department or cybersecurity consultant.
​

In our conversations with firms, we often find that there is an expectation for a single scan that will satisfy their SEC cybersecurity requirements. For most firms however, there is actually a requirement to conduct several separate scans: some scans come from inside the network(i.e., an “internal scan”) and some scans come from the outside the network (i.e., an “external scan”).


In this post I’ll cover the differences between these two types of scans, including how they’re performed, the types of vulnerabilities they seek out and why they’re necessary.


For the purpose of this article I’ll be referencing SEC cybersecurity guidelines; though you will find FINRA and the state-boards generally require the same assessments.


The idea is that you want to spot security vulnerabilities within your business network and applications by:


Running internal and external network vulnerability scans at least annually and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades, hiring/firing employees, etc)


Internal and external vulnerability scans are conducted in a similar manner. Both scans are administered via a computer program called a scanner. However, that doesn’t mean there is one program that can simultaneously conduct both scans. An external vulnerability scan looks for holes in your network firewall(s), intrusion detection systems, modems, and routers, where malicious outsiders can break in and attack your network.


By contrast, an internal vulnerability scan operates inside your business’s firewall(s)to identify real and potential vulnerabilities inside your business network. For instance, unpatched operating systems and misconfigured remote desktop applications.


Why Both Scans are Critical to Your Investment FirmImagine your firm as a house in which a couple and their child reside. The doors and windows are locked to keep intruders from getting inside, but one day the child lets a stranger in the back door while the parents are out working in the front yard. The stranger quietly rummages through the house looking for valuables, gathers them up and throws them out an upstairs window.


Hackers and malware aren’t just present outside your firewall; they can be on the inside as well. The idea that threats may originate from the internet makes sense to most, but what are less commonly understood are threats originating from within the internal network. These types of threats can include disgruntled employees who have targeted systems from the inside, or malware (such as viruses or Trojans) that is downloaded onto a networked computer via the Internet or a USB stick. Once the malware is on the internal network, it sets out to identify other systems and services on the internal network—especially services it would not have been able to “see” from the Internet.


So according to the house example above, an external scan would check to be sure all doors and windows of the house are locked and impassable, while an internal scan would search the inside of the house to ensure that the family’s valuables are hidden from plain sight and properly secured.