Scan and Assess Vulnerabilities

Learning Objectives

After completing this unit, you’ll be able to:

Describe a vulnerability assessment analyst's role in performing vulnerability scanning.
Identify the types of vulnerability scans.
Explain how to configure and perform scans.
Explain how to validate identified vulnerabilities to eliminate false-positives.
Describe the difference between vulnerability scanning and penetration testing.

Run Your Vulnerability Scans

Now that you’ve understood and mapped out your system, application data flows, underlying hardware, network infrastructure, and protections, it’s time to configure and run your vulnerability scans. Vulnerability scans look for known vulnerabilities in your systems and report potential exposures. They leverage databases of known vulnerabilities to identify potential flaws or configuration concerns.

Vulnerability scanners are an automated set of security tools that you can use to protect business-critical applications by identifying known weaknesses. They help you gain visibility into the full scope of vulnerabilities on your systems, combined with human analysis and business context for prioritization. Examples of a few vulnerability scanner tools are Tenable, Qualys, and Nikto2.

The results of vulnerability scans help IT professionals identify known and potential vulnerabilities so they can address and manage them. You use vulnerability scanning to verify that your organization’s security practices are working correctly and are effective. What’s more, regular vulnerability scanning is often mandated by industry standards and government regulations to improve the organization's security posture.

Follow Vulnerability Scanning Policies and Procedures

Your organization likely has a security policy that includes requirements addressing vulnerability scanning and remediation in a timely manner. The purpose of this policy is to clarify your organization’s requirements and expectations regarding vulnerability scans and remediation of discovered vulnerabilities, to ensure you meet certain compliance requirements. The policy may cover employees, contractors, vendors, and agents with access to your organization’s information system.

Your vulnerability scanning policy usually applies to remote access devices used to conduct work on behalf of your organization, as well as organization-owned devices connected to the network, and even personally owned devices if used to conduct organizational business.

The policy also typically lists approved scanning tools and procedures, and requires organizational units to conduct vulnerability assessments of their networked computing devices on a periodic basis.

Your vulnerability scanning policy typically includes guidelines for conducting vulnerability assessments on new information systems before they are placed in production. It may also address scanning limitations like nonintrusive scans, or when to scan so that different business units are not adversely impacted. Finally, it documents procedures for remediation of vulnerabilities, and lays out timelines for remediation of vulnerabilities based on risk. It’s your guiding light when performing vulnerability scans.

Types of Vulnerability Scans

Kelly is a vulnerability assessment analyst who needs to scan assets at her computer software company as part of their vulnerability management program. She has a variety of tools and products she can use. Let's take a closer look.

Network-based scans perform a detailed analysis of an enterprise’s critical network and system infrastructure from the perspective of an external or internal intruder trying to use the network to break into systems.
Cloud-based scans discover and remediate security weaknesses in cloud deployments through asset discovery and vulnerability scanning.
Host-based scans find vulnerabilities in workstations, servers, or other network hosts, and provide visibility into configuration settings and patch history.
Wireless scans identify rogue access points and validate that a company’s network is securely configured.
Application scans detect known software vulnerabilities and misconfigurations on web applications.
Database scans identify the weak points and configuration vulnerabilities in databases.

Additionally, Kelly considers whether it makes sense to perform external or internal scans for her purposes.

External/Unauthenticated Scan

Kelly uses this type of scan to identify and fix security vulnerabilities that an adversary can use to gain access to her organization’s network. She performs the scan from outside the organization’s network focusing on IT infrastructure that is exposed to the internet, including web applications, ports, networks, and so forth. She uses this type of scan to detect vulnerabilities in perimeter defenses like open ports or poor configurations of internet-facing applications and systems. In doing so she can gain the perspective of an intruder trying to infiltrate her organization systems from the outside.

Internal/Authenticated Scan

Kelly performs this type of scan from inside the organization’s network. She likely uses administrative credentials to authenticate to a machine to determine the presence of a vulnerability without having to attempt an intrusive scan. She conducts this scan as a “trusted” insider with administrative privileges to harden and protect applications and systems that are not covered by external scans. Doing so, she can identify configuration issues, missing patches, system or application vulnerabilities, and open ports. This type of scan allows her to detect issues such as vulnerabilities that can be exploited by an adversary who has penetrated perimeter defenses, or a malicious insider.

Configure and Perform the Scan

Kelly has reviewed her organization’s policies for scanning and has determined which type of scan she wants to use. Her next step is to configure the vulnerability scanner’s profile based on the types of vulnerabilities she wants to identify. Depending on this selection, scans can take anywhere from 5 minutes to 5 days to run. Analysts should select this profile keeping in mind the potential impact to production systems. For efficient scans, she must configure the scanner to scan specific interfaces, such as IP addresses or ranges, ports, or services. She does so by tuning policies to scan against a certain configuration, looking for exposed services.

Once Kelly configures the scan, she launches it. As a best practice, she schedules the scan after-hours to avoid service interruption. She also takes time to research and implement the configuration best practices for her particular scanning tool. Kelly launches the scan to discover and analyze vulnerabilities, and to characterize risks to networks, operating systems, applications, databases, and other system components. The scan searches digital assets and provides her with a detailed summary of vulnerabilities to act on with their severity levels. Once she has this summary, she collaborates with other security staff and the development and operations teams, who help determine the most effective path for remediation of each vulnerability.

Scans and False-Positives

Kelly also works with security and operations staff to identify false-positives from the vulnerability scan. This is where knowing their environment comes into play. For example, Kelly’s organization has a web application that allows users to input information about home energy usage. She wants to make sure users cannot inject malicious code into the application. She scans the application with an automated tool that identifies the input field. The scanner tests to see if an injection attack is possible, by inserting input that contains a delay and monitoring the speed of response. The response takes longer than normal, so the scanner marks the input field as being vulnerable to an injection attack.

As Kelly works to review the summary of vulnerabilities that the scanner found, she uses a range of inputs with different delays to see if the response time changes correspondingly, while examining the output. She finds that the response time is consistent, verifying that the vulnerability was a false-positive.

Vulnerability Scanning Versus Penetration Testing

This example illustrates that while automated vulnerability scanning is a great tool, manual/human testing (or penetration testing) is just as important. After Kelly has completed automated scanning, she follows up with a scheduled penetration test that simulates attacks to detect other weaknesses in the architecture of her organization’s IT network, which automated scanning may miss.

A robot, representing an automated scan, and a person holding a magnifying glass, representing a penetration tester.

Kelly knows it’s never a good idea to trust solely her scanner as the lone source of truth to detect security issues. While vulnerability scanners are a valuable tool, they have three major gaps compared to manual penetration testing.

As we’ve discussed, vulnerability scanners may produce false-positives. This means that a scanner-generated finding can’t be trusted until manually verified.
Vulnerability scanners don’t know how to identify many security flaws that usually require human understanding of the business logic (for example, a vulnerability that allows a user to bypass authorization mechanisms to gain illicit access to sensitive data).
Vulnerability scanners are not adept at identifying security flaws that can’t be strictly defined by a systemic pattern (or list of patterns). For example, if a zero-day vulnerability exists that has not been made public, an attacker may be able to exploit this to compromise your sensitive data, and do so undetected by a vulnerability scanner.

Depending on your organization, you may conduct penetration testing yourself, or work with other security professionals to do so.

Knowledge Check

Ready to review what you’ve learned? The knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the appropriate type of scan option on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.

Great work! Now that you’ve scanned for vulnerabilities, it’s time to integrate and analyze the data and come up with actionable results prioritized based on context. You’ll learn more in the next unit.

ヘルプをお探しですか?