Vulnerability scanning is the process of evaluating networks and Information Technology (IT) assets for misconfigurations, flaws, or weaknesses that threat actors could exploit to gain access to resources or data without proper authorization. These scans are typically automated to help assess and address an organization’s security weaknesses as efficiently as possible. New vulnerabilities are discovered often, but there is a key scoring system that helps direct where efforts and resources should be focused: the Common Vulnerability Scoring System (CVSS), which is leveraged by NIST in the National Vulnerability Database (NVD). The CVSS scoring system uses a base score reflecting a threat’s intrinsic characteristics. The score is then refined by metrics such as the current exploitation likelihood and whether there are mitigating factors in the specific computing environment. These metrics are used to score each vulnerability from 0.0 to 10.0, which are then further divided into criticality levels.

SC CIC delivers external vulnerability scanning as a service to provide an outside perspective of the organization’s internet-facing assets. To this end, all IP ranges that the organization is assigned are included in the initial scan, regardless of what is currently supposed to be in use. This mimics what a potential attacker would see and gives valuable insight into a common initial network access vector – unsecured perimeter assets. An SC CIC analyst then reviews the scan results to create a succinct report with personalized recommendations for remediation based on the probability of exploitation and expected impact. SC CIC’s recommendations are made based on severity scores, but also with consideration of the effort required to remediate. This approach mirrors the one taken by CISA in their Cross-Sector Cybersecurity Performance Goals (CPGs), which aligns with SC CIC’s mission to support and secure critical infrastructure in the state of South Carolina. On-demand verification scans are also performed once fixes are implemented to ensure that security gaps are closed, and this cycle is repeated as needed. This format helps organizations prioritize and address their cybersecurity weaknesses in a manageable way.

“Vulnerability scanning of an organization's external posture is critical because it provides real-time insights into how attackers see networks from the outside. The reporting generated from these scans makes securing the perimeter a priority, which is a foundational step in cybersecurity.”
– Ryan Truskey, SC CIC Director

If you represent a critical infrastructure organization and are interested in any of the SC CIC services, please complete the Join SC CIC form here.