Vulnerability scanning is a critical component of any cybersecurity program. It enables organizations to identify security weaknesses in their information systems and take corrective action before attackers can exploit them. Therefore, we will explore the basics of vulnerability scanning, including the difference between vulnerability scanning and vulnerability management, and much more.

Let’s begin by understanding what vulnerability scanning is:

Vulnerability scanning is a systematic and automated review of security weaknesses in an information system. It evaluates whether the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation if and when needed.

What is Vulnerability Management and What Is the Difference?

Although they are used interchangeably, vulnerability scanning and vulnerability management are not the same thing. Where vulnerability scanning typically refers to running a tool and getting a report of a prioritized list of vulnerabilities. Vulnerability Management, on the other hand, is a cyclical process or program that incorporates the scan results to continuously and proactively identify and mitigate cybersecurity risks.

Vulnerability Scanning VS. Vulnerability Management

Vulnerability scanning refers to running a tool and getting a report of a prioritized list of vulnerabilities, Vulnerability Management is a cyclical process or program that incorporates the scan results to continuously and proactively identify and mitigate cybersecurity risks.

A vulnerability management program typically includes the following steps:

  1. Asset Discovery and Management
  2. Vulnerability Scanning and Analysis
  3. Risk Assessment
  4. Remediation

A Vulnerability Management Program

A Vulnerability Management Program

What Are the Benefits?

Knowing what’s active in a global hybrid-IT environment is fundamental to security. A well-designed VM program enables companies to automatically discover and categorize known and unknown assets and create automated workflows to identify security weaknesses and proactively mitigate the risks and threats to their organizations.

Besides being one of the most effective tools in every InfoSec program, a VM Program is also essential in meeting cybersecurity compliance and regulatory requirements such as ISO27000, HIPAA, and PCI-DSS. Some standards require a higher frequency of vulnerability scanning than others, yet most include vulnerability management to some degree.

  1. ISO 27002 – 12.6.1 and 16.1.3: Information about technical vulnerabilities of Information Resources must be obtained in a timely manner. Exposure to such vulnerabilities must be evaluated and appropriate Controls must be implemented to address the associated risk.
  2. PCI DSS – 11.2: run internal and external vulnerability scans at least quarterly or after any significant changes.
  3. FISMA: Requires documentation and implementation of a vulnerability program to protect the availability, confidentiality, and integrity of IT systems. The vulnerability scanning requirements are part of the FedRAMP Continuous Monitoring Strategy Guide and the appropriate FedRAMP Low, Moderate, or High-Security Control baselines, specifically in control RA-5.
  4. NIST: Requires either quarterly or monthly vulnerability scans depending on the particular NIST framework (8001-171, 800-53, etc.)

Also see: Methods For Exploiting File Upload Vulnerabilities

What Are the Different Types of Vulnerability Scanning?

  1. Network Scanning
  2. Agent-based Scanning
  3. Application Scanning
  4. Other Scanning Tools and Techniques

Security teams planning their vulnerability scanning strategy have multiple approaches at their disposal. In fact, you may wish to try out a variety of scan types as part of your overall security management, as testing your system from different angles can help you cover all the bases. Most modern Vulnerability Management Platforms provide a combination or all of the following different types of scanning techniques to enable a full-circle view of all IT assets in an enterprise.

1. Network Scanning

Network Scanning

Network scanning tools and techniques rely on a scan engine sending packages over the network to target hosts and evaluating the response to determine the target has any known vulnerabilities. Network scanning can be considered as the original scan technique as the first tools we see in the scanning space such as ISS Internet Security Scannernmapnessus/OpenVAS, etc. Network scanning tools typically can scan anything with an IP address, including:

  • Network devices (routers, firewalls, network appliances),
  • Servers (Windows/Linux),
  • Workstations (Windows, Linux, macOS),
  • Mobile devices,
  • IoT devices,
  • SCADA networks, and more.

Different types of network scanning techniques include:

a. Internal vs. External

Internal vs. External

With an internal network scan, you’ll want to run threat detection on the local intranet, which will help you understand security holes from the inside. Similarly, admins should test their network as logged-in users to determine which vulnerabilities would be accessible to trusted users or users who have gained access to the network.

On the other hand, there are benefits to performing an external scan and approaching the evaluation from the wider internet, as many threats arise from intentional and/or automatic outside hacks. Likewise, it’s important to scan the network as an intruder might, to understand what data could fall into the hands of those without trusted network access.

b. Credentialed vs. Non-Credentialed

Credentialed vs. Non-Credentialed

Non-credentialed scans search for weaknesses on the network (internal or external) with no privileged access to the target device and determines the existence of a vulnerability based on the response it receives. Non-credentialed scans tend to have high false-positive rates.

However, credentialed scans provide vulnerability scanners with various privileged credentials, allowing them to probe the inside of the target system (workstation, server, or network device) for weak passwords, security configuration issues, and misconfigured databases or applications.

c. Passive Scanning

Passive Scanning

Passive scanning is a method of vulnerability detection that relies on information obtained from network data that is captured on a network without direct interaction with the targets. Packet sniffing and network monitoring tools can be used for passive scanning to reveal information such as operating systems, known protocols running on non-standard ports, and active network applications with known bugs.

Passive scanning may be conducted by a network administrator scanning for security vulnerabilities or by an intruder as a preliminary to an active attack. It is a good approach for scanning critical networks (such as industrial control systems and SCADA networks) without impacting their availability.

2. Agent-based Scanning

Agent-based Scanning

Agent scanning has emerged as an alternative to traditional network scanning tools. As companies adopted work-from-everywhere policies powered by laptops and other portable computing devices in enterprise IT (iPads, Surface devices, etc.) and Infrastructure as a Service (IaaS) cloud vendors enabled flexible/auto-scaling and containerized server architectures, network scanning was not sufficient to discover and scan all your assets for vulnerabilities. The distributed nature of these new paradigms makes it hard to even know where your assets are or what their IP address is. Making it almost impossible to effectively scan for security weaknesses.

Agents run locally on the device (server, laptop, mobile device, etc.) and continuously report back to a central cloud platform the security posture of the device and cyber risks in real-time, no matter where the device is located, as long as it is connected to the Internet. Since they are running locally, similar to a credentialed scan, they can gather in-depth information about the asset, such as what version of OS and what applications are running on it, what networks ports are open, what patches are missing, etc.

Agents work where it’s not possible or practical to do network scanning. They are our preferred method for assets like dynamic IP client machines, remote/roaming users, static and ephemeral cloud instances, and systems sensitive to external scanning. But the technology used for agent-based scanning needs to be robust, easy to deploy, and update agents, with flexible enterprise management and reporting features.

As our preferred VM platforms, we have helped many clients implement agents to 1000’s of assets and run an effective VM program using the Qualys platform.

3. Application Scanning

Application Scanning

Application security scanners are used to discover and catalog web applications in your network and perform a dynamic scan at the application layer (over https) to discover security vulnerabilities. Modern web application scanners can scan web applications, as well as SOAP and REST API services that support mobile apps and rich client apps. A good application scanner like Qualys WAS should detect OWASP Top 10 risks such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and unvalidated redirection.

Some application scanners like Burp Suite incorporate automated scanning capabilities with manual testing tools to enable teams to validate findings and attempt exploits within the same tool.

This article may interest you: The Ultimate Guide to SQL Injection

4. Other Scanning Tools and Techniques

Over the last couple of years, scanning tools have evolved to cover risks in the new and evolving world of enterprise IT. Each of these is evolving as new open-source projects, new startups, and new features of existing tools and each is worth a separate blog post for the future:

  • Cloud security scanners (AWS, Azure, GCP)
  • SaaS security scanners (Office365, Google Apps)
  • Container security scanners (Kubernetes, docker)
  • Serverless security scanners

Conclusion

This article has provided valuable insights into vulnerability scanning, which is a critical component of any cybersecurity program. The article covers the basics of vulnerability scanning, including its definition, how it differs from vulnerability management, and the various types of vulnerability scanning techniques available.

It also highlights the importance of a well-designed vulnerability management program, which includes vulnerability scanning, in proactively identifying and mitigating cybersecurity risks.

At PurpleBox, we understand the importance of cybersecurity in today’s digital age. We offer a range of cybersecurity services, including Vulnerability Management and Penetration Testing, to help our clients stay secure. Our team of experts works closely with our clients to understand their unique needs and design customized solutions that meet their specific requirements.

Contact us today to learn more about our services and how we can help you stay secure.