You've probably heard about the broad spectrum security scans. These types of scans generally probe the security of large numbers of hosts in an effort to determine the overall security health of the Internet.
Recently, Liraz Siri and some of his colleagues scanned more than 36 million hosts on the Internet for 10 well-known security vulnerabilities. Although their report reveals some staggering figures, the part I find even more interesting is the fact that someone has probed these systems without the network owner's permission. During the scan process, Siri received several threatening email letters from network operators (or their legal council) who stated that they considered these scans to be an intrusion against their networks.
This situation once again raises the question of whether it's ethical to scan someone's network without their permission. Although anyone can perform a security scan against another system, just because you can do something doesn't mean you should. So what's the real value of such an action? Personally, I'm not sure the value outweighs the problem it creates.
When someone scans a broad array of systems, security systems can detect those scans and alert the systems administrator to the ongoing probe, as evidenced during Siri's scanning work. But it's impossible to determine the motive for such a scan. Should network administrators simply trust that the scan is just another supposedly harmless Internet security auditing project? Or would administrators be more prudent to assume that an intruder is looking for vulnerabilities in a network's defense system? I think a diligent administrator would assume the worst and go after the person at the source of the scan.
But as Siri points out in the report, perhaps the need exists for an ongoing community-oriented security-scanning project such as this. Siri thinks that such a project could serve to routinely scan all available address space on the Internet for security problems and report the scan findings to each network owner. The owner can then take appropriate action to remedy any vulnerabilities.
When I think about the proposal, it makes a lot of sense. With a standard body to perform regular security scans, overall Internet security would probably increase dramatically. A project such as this might save companies money on several fronts and offer a view from the outside looking into a given network. Although this sort of information is already easy enough to gather on our own, I don't think it hurts to have another opinion.
So what do you think? Would you let a third-party organization (such as that proposed by Siri) freely scan the security of your network on a regular basis? And do you think such a scan would add any value to your company? Drop me a line with your opinion. And until next time, have a great week.