Internet scanning and the value of an ethical approach

Organizations often lack a comprehensive understanding of the external and internal risks to their networks. Securing their attack surface is the number one priority for organizations over the next 12 months. While Internet scanning has drastically shifted how security professionals analyze and collect security data, this must be done ethically and with appropriate guidelines in place. Censys’ Senior Security Researcher, Ariana Mirian, outlines her best practices for maintaining an ethically compliant internet scanning environment and the steps organizations can take to implement them across their teams.

The power of Internet scanning

Relied on by security professionals as a source of comprehensive Internet studies, Internet scanning has become a powerful research and intelligence tool, drastically improving the collection and analysis of data. Ariana Mirian emphasizes that “scanning is used to identify vulnerabilities, track security trends, and enable comprehensive reports that enhance our understanding of the Internet’s security landscape.”

These capabilities are crucial, particularly given the risks associated with emerging security vulnerabilities, which can quickly propagate across the Internet, causing major disruptions and incurring huge costs. Mirian notes, “Armed with the ability to scan the Internet, researchers, and security professionals alike are better placed to uncover, track, and act on the insight required to remediate these risks using a data-driven approach.”

The scope Internet scanning offers the security community is considerable. It includes everything from vulnerability detection and security monitoring to supplying data that can inform security best practices, risk assessment, and compliance. According to Mirian, “This kind of continuous monitoring is quickly becoming crucial for security teams that need to respond as quickly as possible to new and emerging threats.”

Ethical considerations in Internet scanning

Internet scanning sheds light on the Internet’s attack surface and the various risks and vulnerabilities that increase the potential for data breaches, information leaks, or asset destruction. Mirian points out, “This can include a wide range of issues, from simple technology misconfigurations to Common Vulnerabilities and Exposures (CVEs), which records publicly disclosed cybersecurity vulnerabilities.” Industry figures reveal that over 11,500 CVEs have already been discovered this year compared to a total of 29,000 for the whole of 2023, highlighting the urgency and importance of scanning.

However, Mirian stresses that scanning should not simply be seen as a catch-all effort that sweeps up masses of data without consideration. “Ethics and good governance play a key role in ensuring scanning can be effective without being disruptive, intrusive, or, in some cases, illegal,” she says.

Internet scanning
Photo by John Schnobrich on Unsplash

Best practices

An ethics-led approach ensures that scanning activities respect privacy, prevent data misuse, and don’t negatively impact network performance. Mirian explains, “Ethics also fosters trust among stakeholders, ensures scanning remains fully compliant with legal requirements, and operates within the boundaries of ‘good Internet citizenship’.” She elaborates on the key practices that define responsible and ethical Internet scanning:

Consider the impact of any scanning process: “Organizations or researchers using Internet scanning should focus on the potential impact of their activities on various stakeholders, including Internet Service Providers and owners of remote systems,” advises Mirian. For example, scanning for an uncommon service on a port might be flagged as suspicious.

Ensure public communication and disclosure: To demonstrate that a scanning process has benign objectives, Mirian suggests, “Organizations or researchers should create a simple website that describes the project’s goals, details of the data collected, and contact information for those wishing to learn more.”

Minimize risks to vulnerable systems: “Since scanning can also expose information about potentially vulnerable systems, every effort should be made to secure sensitive information and abide by exclusion requests,” she emphasizes. Informing external parties of the vulnerable systems found can also help mitigate risks.

Coordinate with organizational leaders and administrators: “Any organization using Internet scanning should coordinate its activities in advance with relevant IT leaders and administrators,” Mirian advises. This ensures compliance with legal and infrastructure requirements and minimizes the risk of breaching in-house rules or wider regulations.

Avoid redundant scanning: Mirian recommends, “Centralizing data collection and publicly sharing results can minimize redundant scanning, reducing overall traffic levels and minimizing the impact on Internet infrastructure and resources.”

By following these priorities, organizations and security researchers can balance the need to gather vital insights into security vulnerabilities and trends concerning the interests of third-party stakeholders. Mirian concludes, “At a time when many risks and vulnerabilities are emerging more quickly and becoming harder to detect, these are important capabilities.” Ethical Internet scanning is not just about gathering data but doing so responsibly, ensuring that the security benefits are realized without compromising privacy, legal standards, or network performance.

George Mavridis is a freelance journalist and writer based in Greece. His work primarily covers tech, innovation, social media, digital communication, and politics. He graduated from the Aristotle University of Thessaloniki with a BA in Journalism and Mass Communication. Also, he holds an MA in Media and Communication Studies from the Malmö University of Sweden and an MA in Digital Humanities from the Linnaeus University of Sweden.