Audit and testing
Vulnerability scan
What is a vulnerability scan?
A vulnerability scan is an automated review of systems for known security flaws and misconfigurations. Software compares the versions and settings it finds with public vulnerability databases and reports every match together with a rating of the risk.
In practice a vulnerability scan is a program that talks to the devices on your network and works out which operating system, which services and which software versions are running there. It then compares those details with public registers of known security flaws. Every publicly known flaw carries a CVE number, a globally unique identifier, and a severity score under the CVSS scheme on a scale from 0 to 10.
There are two viewpoints to distinguish. An external scan looks at your company from outside, the way an attacker on the internet sees it: firewall, remote access, website and mail server. An internal scan runs inside your own network and shows what an attacker would face after a first successful step. An authenticated scan also logs in with a user account, which lets it see missing updates inside installed software.
A scan finds what is publicly known. Whether a reported flaw can actually be exploited in your particular setup is answered by a penetration test, a controlled attempt at attack carried out with your written consent. Scanners also raise false positives, meaning they flag a flaw that another setting already blocks. Every scan therefore needs a person to review the hits afterwards, judge them in context and cut the list down to the points that matter for your business.
The first sensible step comes before the scan: a list of your systems. Only what is known can be examined. A network that has grown over the years usually also carries devices with their own web interface, such as printers, network storage, cameras or machine controllers, and those belong on the list too. Settle responsibilities in advance as well: systems run by a hosting provider or in the cloud may only be scanned under that provider's rules, and your IT service provider should know the date.
Article 32(1)(d) of the GDPR requires a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures. A recurring scan with a documented result is one way to evidence that testing. In the IT Check, vulnerability testing forms part of 8 audit areas with more than 100 individual checks. Data capture on site is read-only, meaning we only read and document, and it runs without interruption while your business carries on working.
All terms in the knowledge base
Note: This entry reflects the state of knowledge to the best of our understanding and serves as general orientation. It is not legal advice. What counts is always the version currently in force at the responsible body, for example dsb.gv.at, nis.gv.at or enisa.europa.eu.
From the term to practice
Where does your business actually stand?
The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.