Vulnerability scanning explained

July 16, 2020 | Nick Cavalancia

This blog was written by a third party author

What is vulnerability scanning?

Vulnerability scanning is the process of detecting and classifying potential points of exploitation in network devices, computer systems, and applications. This is done by inspecting the same attack areas used by both internal and external threat actors—such as firewalls, applications, and services that are deployed either internally or externally—to gain unauthorized access to an organization’s network and assets. Scans are compared against a database of known vulnerabilities to see security gaps in networks, systems, and applications to be identified—and fixed—quickly.

Who performs vulnerability scans?

Scans are performed by internal IT security teams or managed security service providers (MSSPs), as part of a vulnerability assessment that should be a part of a greater vulnerability management program. In some cases, scans are mandated by compliance regulations and require external providers certified to perform them. A good example is the Payment Card Industry Data Security Standard (PCI DSS), which requires Approved Scanning Vendors (ASV) to perform the external vulnerability scans to provide they align with PCI standards. The reason these various groups regularly perform vulnerability scans is that external and internal threat actors do as well, as part of scoping out their attack strategy.

Types of vulnerability scans

Vulnerability scans involve looking for either the lack of patching, open ports, or any other conceived method to maliciously gain access. The following list covers the various types of vulnerability scans used today:

  • Unauthenticated scans – This scan looks for potential network security vulnerabilities, such as misconfigured firewalls or vulnerable web servers in a demilitarized zone or DMZ by scanning these devices remotely or across the network. This type of scan can also detect vulnerabilities on systems on wired or wireless networks.
  • Authenticated scans – This identifies application and operating system-based vulnerabilities on servers, workstations, or other network hosts from the vantage point of an agent on the machine. Host-based scans can also examine the ports and services that are visible to a network-based scan, but host-based agents can provide an additional degree of visibility into and context around a given system’s configuration and patch history.
  • Web application scans – These detect whether the applications have any well-known software vulnerabilities, insecure configurations or insecure code issues.
  • Database scans – SQL injection attacks are one of many well-known risks associated with database applications.  Database applications and services need to be scanned to identify any security or application weaknesses.

Authentication in vulnerability scanning

The scanning methods mentioned above use one of two authentication approaches to vulnerability scanning: authenticated and unauthenticated. Scans that are performed without the benefit of authentication to the target are called “unauthenticated”.  These scans will largely find vulnerabilities that can be used in attacks that do not require user credentials and can succeed without trusted access. Authenticated scans—such as in host scans—require the person performing the test to authenticate as a network user. This method helps to expose any vulnerabilities accessible to a “trusted” user, whether it’s a true employee of the organization or a threat actor who has compromised a set of user credentials.

Vulnerability scanning vs. penetration testing

Vulnerability scans identify those systems, devices, and applications whose current state includes known vulnerabilities. While this identification process can include some level of exploitation, vulnerabilities scans are not equivalent to penetration tests. Rather, most full-scale penetration tests will include a vulnerability scan as a part of the broader procedure. In essence, vulnerability scans seek to identify exploitable conditions and act as the groundwork or early phase of a penetration test, where the tester behaves like a threat actor and attempts to compromise a device, system, service, or application.

Nick Cavalancia

About the Author: Nick Cavalancia

Nick Cavalancia is a Microsoft Cloud and Datacenter MVP, has over 25 years of enterprise IT experience, is an accomplished consultant, speaker, trainer, writer, and columnist, and has achieved industry certifications including MCSE, MCT, Master CNE, Master CNI. Nick regularly speaks, writes and blogs for some of the most recognized tech companies today on topics including cybersecurity, cloud adoption, business continuity, and compliance.

Read more posts from Nick Cavalancia ›

TAGS:

‹ BACK TO ALL BLOGS