What is vulnerability scanning?
A vulnerability scanner is an application that identifies and creates an inventory of all the systems (including servers, desktops, laptops, virtual machines, containers, firewalls, switches, and printers) connected to a network. For each device that it identifies it also attempts to identify the operating system it runs and the software installed on it, along with other attributes such as open ports and user accounts.
Most vulnerability scanners will also attempt to log in to systems using default or other credentials in order to build a more detailed picture of the system.
After building up an inventory, the vulnerability scanner checks each item in the inventory against one or more databases of known vulnerabilities to see if any items are subject to any of these vulnerabilities.
The result of a vulnerability scan is a list of all the systems found and identified on the network, highlighting any that have known vulnerabilities that may need attention.
Vulnerability scanning vs. penetration testing
Vulnerability scanning and penetration testing are often confused, but in fact the two security procedures are quite different and are used for different purposes.
At the most basic level, vulnerability scanning aims to identify any systems that are subject to known vulnerabilities, while a penetration test aims to identify weaknesses in specific system configurations and organizational processes and practices that can be exploited to compromise security.
As an illustration of the difference between a vulnerability scan and a penetration test, a pen test may involve:
- Using social engineering techniques such as impersonating a manager and asking an employee for a password in order to gain access to a database or other system
- Intercepting and using unencrypted passwords sent over the network
- Sending phishing emails to users to gain access to accounts
How vulnerability scanning works
Vulnerability scanning finds systems and software that have known security vulnerabilities, but this information is only useful to IT security teams when it is used as the first part of a four-part vulnerability management process.
Vulnerability management process
This vulnerability management process involves:
- Identification of vulnerabilities
- Evaluation of the risk posed by any vulnerabilities identified
- Treatment of any identified vulnerabilities
- Reporting on vulnerabilities and how they have been handled
Identification of vulnerabilities
The main way to identify vulnerabilities is through vulnerability scanning, and a scanner’s efficacy depends on two things:
- the ability of the scanner to locate and identify devices, software and open ports, and gather other system information
- the ability to correlate this information with known vulnerability information from one or more vulnerability databases
Vulnerability scanning can be configured to be more or less aggressive or intrusive, and this is important because there is the possibility that the scanning process can affect the performance or stability of systems being interrogated. It can also cause bandwidth issues on some networks.
A solution to this may be to schedule vulnerability scanning outside of business hours, but this leads to the possibility that employees who connect laptops to the network may not have them connected when the scanning takes place.
One way to get around this second problem is through the use of endpoint agents running on laptops and other devices, which enable a vulnerability management system to have inventory data pushed to it by the agent when it is connected to the network rather than pulled in during a scheduled scan of the organization’s network.
Another approach is to use a technique called adaptive vulnerability scanning, which detects changes to the network, such as the connection of a new laptop or other device for the first time. When this happens, the vulnerability scanner launches automatically and scans the new system immediately or as soon as possible, rather than waiting for the next scheduled scan.
Evaluation of risks
One of the challenges of vulnerability scanning is that it can produce a long list of vulnerabilities that have been identified, and if the list is too long it can overwhelm the resources of the IT security team.
The evaluation stage is therefore extremely important, as it triages the vulnerabilities and enables IT security staff to decide:
- how critical the vulnerability is and what the impact on the organization would be if it were to be exploited successfully
- how practical it would be for a hacker to exploit the vulnerability (for example, could it be exploited from the internet or would physical access be required), and how easily this could be accomplished (perhaps using publicly available exploit code)
- whether any existing security controls could reduce the risk of the vulnerability being exploited
- if the vulnerability detected is a “false positive” that can be ignored
Ultimately, the purpose of the evaluation stage is to allow IT security staff to prioritize the vulnerabilities that need the most urgent attention in order to mitigate the overall security risk most effectively and rapidly.
Treatment of any identified vulnerabilities
In an ideal world, any vulnerabilities that are detected during vulnerability scanning and are not false positives should be patched or otherwise fixed so they no longer represents a vulnerability that poses a risk.
Unfortunately, a simple fix or patch is not always immediately available, and in these circumstances the IT security staff may choose to mitigate the risk that the vulnerability poses by ceasing to use a vulnerable system, adding other security controls to try to make the vulnerability harder to exploit, or any other means that reduces the likelihood of the vulnerability being exploited or reduces the impact of it being exploited successfully.
Alternatively, the best course of action may simply be to accept that the vulnerability exists and take no further action. This may be the case where the risk posed by the vulnerability is low, or where the impact of its exploitation is low relative to the cost of mitigating or fixing it.
Types of vulnerability scanning
Not all vulnerability scans are alike, and to ensure compliance with certain regulations (such as those set by the PCI Security Standards Council) it is necessary to carry out two distinct types of vulnerability scans: an internal and an external vulnerability scan. So what exactly is the difference?
External vulnerability scan
As the name suggests, an external vulnerability scan is carried out from outside an organization’s network, and its principal purpose is to detect vulnerabilities in the perimeter defenses such as open ports in the network firewall or specialized web application firewall. An external vulnerability scan can help organizations fix security issues that could enable hackers to gain access to the organization’s network.
Internal vulnerability scan
By contrast, an internal vulnerability scan is carried out from inside an organization’s perimeter defenses. Its purpose is to detect vulnerabilities that could be exploited by hackers who successfully penetrate the perimeter defenses, or equally by “insider threats” such as contractors or disgruntled employees who have legitimate access to parts of the network.
Unauthenticated and authenticated vulnerability scans
A similar but not always identical variation of internal and external vulnerability scans is the concept of unauthenticated and authenticated vulnerability scans.
Unauthenticated scans, like external scans, search for weaknesses in the network perimeter, while authenticated scans? provide vulnerability scanners with various privileged credentials, allowing them to probe the inside of the network for weak passwords, configuration issues, and misconfigured databases or applications.
Complementary security measures
As mentioned earlier, penetration testing is different than vulnerability scanning both in how it is carried out and in its objectives. Other security measures that also complement a vulnerability scanning and management program include:
- Breach and attack simulation: Breach and attack simulation (BAS) tools run simulated attacks to measure the effectiveness of a company’s prevention, detection and mitigation capabilities. For example, the software might simulate a phishing attack on a company’s email systems, a cyberattack on the company’s web application firewall, attempted data exfiltration, lateral movement within networks, or a malware attack on an endpoint. The purpose of BAS is to answer important questions about an organization’s security posture, such as whether alerts are being generated for the right conditions, and how effectively and quickly staff can respond to an alert.
- Threat Hunting: Cybercriminals spend an average of 191 days inside a corporate network before they are detected, according to IBM research, and during that time they can attempt to compromise an increasing number of systems and exfiltrate large amounts of data. Threat hunting aims to counter this by actively searching the corporate network for malware that may have been placed on it or attackers who are carrying out criminal activities on an ongoing basis. To carry out threat hunting it is necessary to have a relatively sophisticated security infrastructure in place, including a security information and event management (SIEM) system, and suitably trained security staff.
- Application security testing: Application security testing tools can be thought of as specialist vulnerability testing tools for applications, and they offer a way of analyzing application code that is quicker and lower cost than manual code review. They can be effective for finding known weaknesses and vulnerabilities in code, and many regulatory compliance directives mandate the use of these tools to check code on a regular basis.
Vulnerability scanning tools
A number of IT security vendors offer vulnerability scanning tools, among them SolarWinds, Comodo, Tripwire, High-Tech Bridge, Tenable, Core Security, Acunetix, Qualys, Rapid7 and Netsparker.
Open source vulnerability scanners
Many vulnerability scanners are proprietary products, but there also a small number of open source vulnerability scanners, or free “community” versions of proprietary scanners. These include:
- Nexpose Community