TR 62443-3-1 @ IEC:2009(E) - 69 - has been compromised. Vulnerability scanners identify three types of security issues: inadequate policies, misconfigurations, and software flaws. Once the weaknesses have been identified, the software supplies administrators with detailed information about the vulnerabilities and the best means of securing them. networks to ensure a standard level of security exists across the enterprise network. The scanners identify weaknesses across the enterprise, generate security reports for each system or security statistics for the enterprise, and deploy patches or security configuration changes to vulnerable systems. Enterprise scanning of this sort is used to decrease enterprise risk levels and set a general level of basic security for each host without sacrificing a great deal of functionality. Verifying the security on specific high-risk systems: Targeted scans are performed against specific high-risk hosts or appliances. Vulnerabilities detected on the hosts are individually ENS! assessed for criticality and weighed against the functionality requirements of each system. To achieve a maximum balance between functionality and tight security, targeted scanning requires a high level of skill and knowledge from both the security administrator, who performs the scans, and the systems administrator, who maintains the system. Targeted scanning is designed to harden a high-risk system, decreasing the risk level to individual systems as much as possible. The second purpose is of greater concern in a control system environment. Vulnerability scanners usually consist of four primary components: Vulnerability database: Contains vulnerability information that typically reference Computer vulnerabilities and exposure identification. Scanning engine: Performs three tasks: 1) detects devices on the network, 2) identifies the operating systems and applications resident on each computer, and 3) tests each system for vulnerabilities based on the identified operating system, applications, and security configurations. NOTE 1 The configuration of the system being scanned and the design of the vulnerability scanner determine how vulnerabilities and misconfigurations are detected. Agent with local administrative privileges: Deployed on each host, similar to an antivirus client. Agents allow scan administrators to control when scans are run, determine what vulnerabilities to check for, and send results back to a centralized report repository. Agents are generally deployed when scans shall be performed regularly and enterprise security is a priority as opposed to specific host level security. NoTE 2 While most vulnerability scanners have agents that can be deployed to the host, scans can still be administrative access of the agent. about each problem, and provides recommendations for resolving the identified security issues. Information about user accounts, open ports, and services running on each host are also included in the reports. 8.5.2 Security vulnerabilities addressed by this technology Scanners check for the following three types of security issues on computer systems: Security policy weaknesses: Can be changed on individual systems, but do not relate to service or application configuration and software flaws. Such problems can be resolved by changing the policies on each host. Examples of these weaknesses include a lack of logging or auditing by the host, bad password policies, and poor control of user access and rights. TR 62443-3-1 @ IEC:2009(E) - 70 - Misconfigurations: Vulnerabilities that are based on the improper configuration of services, applications, or operating system components. Misconfigurations can be rectified by correcting how the software is implemented on each host. Examples of misconfiguration vulnerabilities include installing unneeded components or leaving unnecessary services running on the system. Software flaws: Actual design glitches in the operating systems, applications, or firmware. T