examples of security weaknesses that can be identified with a vulnerability scanning include:
- Publicly known cybersecurity vulnerabilities that are published in the MITRE CVE database
- Application security vulnerabilities from OWASP Top-10 such as (SQL injection or XSS)
- Insecure defaults – software that ships with insecure settings, such as a guessable admin password.
- Other cybersecurity weaknesses published by vendors, industry groups or other research organizations – such as insecure SSL/TLS and Certificate weaknesses with Qualys SSL Labs
Vulnerability scanning is a systematic and automated review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.
Although they are used interchangeably, vulnerability scanning and vulnerability management are not the same thing. Where vulnerability scanning typically refers to running a tool and getting a report of a prioritized list of vulnerabilities, Vulnerability Management is a cyclical process or program that incorporates the scan results to continuously and proactively identify and mitigate cybersecurity risks.
Vulnerability scanning refers to running a tool and getting a report of a prioritized list of vulnerabilities, Vulnerability Management is a cyclical process or program that incorporates the scan results to continuously and proactively identify and mitigate cybersecurity risks.
A vulnerability management program typically includes the following steps:
- Asset Discovery and Management
- Vulnerability Scanning and Analysis
- Risk Assessment
A Vulnerability Management Program
Knowing what’s active in a global hybrid-IT environment is fundamental to security. A well designed VM program enables companies to automatically discover and categorize known and unknown assets and create automated workflows to identify security weaknesses and proactively mitigate the risks and threats to their organizations.
Besides being one of the most effective tools in every InfoSec program, a VM Program is also essential in meeting cybersecurity compliance and regulatory requirements such as ISO27000, HIPAA, and PCI-DSS. Some standards require a higher frequency of vulnerability scanning than others, yet most include vulnerability management to some degree.
- ISO 27002 – 12.6.1 and 16.1.3: Information about technical vulnerabilities of Information Resources must be obtained in a timely manner. Exposure to such vulnerabilities must be evaluated and appropriate Controls must be implemented to address the associated risk.
- PCI DSS – 11.2: run internal and external vulnerability scans at least quarterly or after any significant changes
- FISMA: Requires documentation and implementation of a vulnerability program to protect the availability, confidentiality, and integrity of IT systems. The vulnerability scanning requirements are part of the FedRAMP Continuous Monitoring Strategy Guide and the appropriate FedRAMP Low, Moderate, or High Security Control baselines, specifically in control RA-5.
- NIST: Requires either quarterly or monthly vulnerability scans depending on the particular NIST framework (8001-171, 800-53, etc.)
Security teams planning their vulnerability scanning strategy have multiple approaches at their disposal. In fact, you may wish to try out a variety of scan types as part of your overall security management, as testing your system from different angles can help you cover all the bases. Most modern Vulnerability Management Platforms provide a combination or all of the following different types of scanning techniques to enable a full-circle view of all IT assets in an enterprise.
Network scanning tools and techniques rely on a scan engine sending packages over the network to target hosts and evaluating the response to determine the the target has any known vulnerabilities. Network scanning can be considered as the original scan technique as the first tools we see in the scanning space such as ISS Internet Security Scanner, nmap, nessus/OpenVAS, etc. Network scanning tools typically can scan anything with an IP address, including network devices (routers, firewalls, network appliances), servers (Windows/Linux), workstations (Windows, Linux, macOS), mobile devices, IoT devices, SCADA networks, and more.
Different types of network scanning techniques include:
With an internal network scan, you’ll want to run threat detection on the local intranet, which will help you understand security holes from the inside. Similarly, admins should test their network as a logged-in user to determine which vulnerabilities would be accessible to trusted users or users who have gained access to the network.
On the other hand, there are benefits to performing an external scan, approaching the evaluation from the wider internet, as many threats arise from intentional and/or automatic outside hacks. Likewise, it’s important to scan the network as an intruder might, to understand what data could fall into the hands of those without trusted network access.
Non-credentialed scans search for weaknesses on the network (internal or external) with no privilege access to the target device and determines the existence of a vulnerability based on the response it receives. Non-credentialed scans tend to have high false-positive rates. However, credentialed scans provide vulnerability scanners with various privileged credentials, allowing them to probe the inside of the target system (workstation, server, or network device) for weak passwords, security configuration issues, and misconfigured databases or applications.
Passive scanning is a method of vulnerability detection that relies on information obtained from network data that is captured on a network without direct interaction with the targets. Packet sniffing and network monitoring tools can be used for passive scanning to reveal information such as operating system, known protocols running on non-standard ports and active network applications with known bugs. Passive scanning may be conducted by a network administrator scanning for security vulnerabilities or by an intruder as a preliminary to an active attack. Passive scanning is a good approach for scanning critical networks (such as industrial controls systems and SCADA networks) without impacting their availability.
Agent scanning has emerged as an alternative to as an alternative to traditional network scanning tools. As companies adopted work-from-everywhere policies powered by laptops and other portable computer devices in enterprise IT (iPads, Surface devices, etc.) and Infrastructure as a Service (IaaS) cloud vendors enabled flexible/auto-scaling and containerized server architectures, network scanning was not a sufficient to discover and scan all your assets for vulnerabilities. The distributed nature of these new paradigms makes it hard to even know where your assets are or what their IP address is. Making it almost impossible to effectively scan for security weaknesses.
Agents run locally on the device (server, laptop, mobile device, etc.) and continuously report back to a central cloud platform the security posture of the device and cyber risks in real-time, no matter where the device is located, as long as it is connected to the Internet. Since they are running locally, similar to a credentialed scan, they can gather in-depth information about the asset, such as what version of OS and what applications are running on it, what networks ports are open, what patches are missing, and etc.
Agents work where it’s not possible or practical to do network scanning. They are our preferred method for assets like dynamic IP client machines, remote/roaming users, static and ephemeral cloud instances, and systems sensitive to external scanning. But the technology used for agent-based scanning needs to be robust, easy to deploy and update agents, with flexible enterprise management and reporting features. As our preferred VM platforms, we have helped many clients implement agents to 1000’s of assets and run an effective VM program using the Qualys platform
Application security scanners are used to discover and catalos web applications in your network and perform dynamic scan at the application layer (over https) to discover security vulnerabilities. Modern web applications scanner can scan web applications, as well as SOAP and REST API services that support mobile apps and rich client apps. A good application scanner like Qualys WAS should detect OWASP Top 10 risks such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and unvalidated redirection. Some application scanners like Burp Suite incorporate automated scanning capabilities with manual testing tools to enable teams to validate findings and attempt exploits within the same tool.
Over the last couple of years, the scanning tools have evolved to cover risks in the new and evolving world of enterprise IT. Each of these are evolving as new open-source projects, new startups and new features of existing tools and each are worth a separate blog post for future:
- Cloud security scanners (AWS, Azure, GCP)
- SaaS security scanners (Office365, Google Apps)
- Container security scanners (Kubernetes, docker)
- Serverless security scanners