A Vulnerability Scan Guide

What is a Vulnerability Scan

A vulnerability scan is an automated tool designed to identify vulnerabilities and security flaws and provide a recommended method to fix these issues and improve your security.

Depending on the specific vulnerability scanning tools used, a vulnerability scan can help highlight security weaknesses across a range of hardware and software assets such as your laptops, servers, and websites.

This article includes information regarding Tenable products.  Forge Secure is now a Tenable partner and reseller which should be taken into account with any reviews or recommendations.

Why vulnerability scans are important

A vulnerability scan forms an important part of your vulnerability management program and helps take a proactive step towards security, working to keep your assets as secure as possible from currently known vulnerabilities and in the face of a continuously evolving set of threats.

How does a Vulnerability Scan work?

Vulnerability scanning is the process of automatically identifying and reporting discovered vulnerabilities.

Depending upon the security tools you are using, and the assets you are scanning, the specific scanning process can vary, however, the outline process of any automated tools should be consistent for each scanning tool.

• A vulnerability scanner will confirm a connection is possible to its target
• The scanning tool will then carry out a series of automated tests and checks
• The results of each test are automatically processed to identify vulnerabilities
• The vulnerabilities are reported in the vulnerability scan output

What do vulnerability scans find?

The exact range of vulnerabilities that vulnerability scans can find will vary depending upon the specific scanning tool that you use, with a list of infrastructure scanning tools available here.

It is always recommended to review the vendor’s specific product description to ensure their automated vulnerability scanning tools are designed for identifying security weaknesses that you may be concerned with.

In general, there are a few types of vulnerability that most scanning tools should be able to identify

Outdated Versions. Depending on the scanning tool you are using, it should be able to identify if any of the software products you use are outdated such as an operating system or outdated software. This should also highlight if the specific version you are currently using is affected by known vulnerabilities.

Vulnerable Configuration. Many products have settings that can be standard or changed to an insecure state. A scanning tool should be able to identify these settings and identify what the setting should be changed to for best practice security settings.

Insecure Communication Protocols. The method by which data is transferred and communicated can have associated security risks. A scanning tool should be able to identify these insecure communication protocols and highlight the more secure options to use instead.

Weak Passwords. Whether your system has default credentials or common passwords have been chosen, a scanning tool can often identify these weak passwords and suggest a password change to a more secure alternative.

Sensitive Data. If your system has stored sensitive data and exposes sensitive data, a scanning tool can often find this content and suggest either the removal of the content or restrictions be put in place to make the sensitive data inaccessible.

Pros and Cons of Vulnerability Scanning

The Benefits of Vulnerability Scanning

Vulnerability Scanning is Cost-effective

Once a vulnerability scanner is set up and running, you can typically run scans as often as you want to, producing daily, weekly, or monthly reports that allow you to accurately track your security.

Compared to arranging manual penetration testing on a similar schedule, utilizing a scanning tool is a far more cost-effective option.

Early Detection and Rapid Response

As you can continually conduct vulnerability scanning against your systems, this will alert you to changes in the state of your security and allow you to proactively react to any detrimental changes.

Conform to Security Best Practices

Vulnerability scanning forms part of a set of best practices for managing and maintaining your security and works within a vulnerability management program alongside other best practice security standards to improve your overall state of security.

The Negatives of Vulnerability Scanning

Vulnerability Scans Can’t Find All Vulnerabilities

There are some types of security weaknesses that vulnerability scanning either struggles to find or cannot find.

Vulnerability scanning tools are very useful and efficient tools. You will typically find that if you arrange manual penetration testing engagements they will still use vulnerability scanners to find many of their reported vulnerabilities.

This is because the scanning tools will quickly carry out tests faster than an individual can. One of the key differences for manual penetration testing is therefore finding the issues that scanners cannot find.

Vulnerability Scans Can Produce False Results

Vulnerability scanners can produce false positives. This is where the scanner will report that you are affected by a vulnerability even though you are not affected by this issue.

While this can be frustrating to work through and confirm that the finding is a false positive, the more serious issue is where you have a false negative.

This is where the scanning process does not identify that a vulnerability exists even though you are affected. This can provide a false sense of security, as you may believe yourself to be secure despite being affected by vulnerabilities.

Although in most cases false positives and false negatives are considered rare they can happen occasionally. This is why the vulnerability scanning process should not be considered a stand-alone solution for all your entire security requirements but should be thought of as an important part, of an overall security strategy.

Vulnerability Reports can lack context

Depending upon your knowledge and experience when reviewing the output of a vulnerability scanning tool, the results can sometimes be unclear or lack context.

Where this is the case it can often be difficult to understand what the potential impact of an issue is for the systems you manage or the business as a whole.

In certain circumstances, the recommended fix for security issues may have detrimental impacts on other systems and so the results should not be considered in isolation alone.

Unauthenticated vs Authenticated scans

Vulnerability scanning tools can often be configured to make use of login details, providing the scanning tool with the ability to gain access to a system. The scanner can then detect vulnerabilities that an unauthenticated scan would not have been able to identify.

While unauthenticated scans have their place as part of your vulnerability management program, providing valuable insight into what an unauthenticated attacker can access or exploit. Conducting authenticated scans should also form an important part of your overall strategy to maintain secure systems.

Authenticated vulnerability scans provide greater insight into what the potential security risks are from the perspective of different users.

For example, if you manage a website, where you have a variety of user roles, such as standard users, which anyone can sign up for, website authors who regularly update the content of the site, and website admins who maintain and manage the site as a whole.

If you only review the security of the site from the perspective of an unauthenticated user, you restrict your knowledge of potential vulnerabilities to a very narrow view.

If an attacker were to create standard user accounts for your website they may identify critical issues which were not visible to unauthenticated scans.

If the same attacker managed to identify or guess a set of credentials for one of your website authors, they may also be able to gain further visibility of additional vulnerabilities from an author’s perspective or gain access to critical assets.

In each of these cases the possible vulnerabilities identified after authentication, would not have been found by carrying out unauthenticated scans alone, but missing them could result in a serious vulnerability being exploited.

When it comes to vulnerability scanning, it shouldn’t be the case of deciding between unauthenticated vs authenticated scans. Both form an important part of your overall security and provide useful insight into your state of security from different perspectives, allowing you to be more informed about potential security weaknesses.

The right vulnerability scan for you

Choosing the right vulnerability scanning tools for your purposes can depend on a few factors.

What you are trying to conduct a vulnerability scan against is vital to know. Not all vulnerability scanning tools cover all products or systems and selecting the correct tools for your needs should be the first consideration.

Whether you are looking to assess your internal network, web server, operating system, external access, or other solutions, it is important to select the correct tool for the job that identifies vulnerabilities.

Some scanning tools offer a broad coverage of as many different systems as possible, but may not provide the best in-depth results for a specific system that you may be concerned with.

Other scanning products are developed to be more niche, targeting only one specific type of system, which can provide great results for that one target system, but unfortunately leaves you with no security information for the rest of your devices or systems.

The price should also be a consideration when selecting a vulnerability scanning tool. Some tools can be expensive and you may only have a limited budget to work with. If looking to setup your own vulnerability scanning product to manage costs, the following guide can be used for Tenable Nessus, and an alternative walkthrough is provided for Greenbone OpenVAS.

If you have to consider multiple scanning tools for each device or system you use, this can strain your budget even further so a single solution with the most coverage may be a preferred option.

Common Vulnerability Scanning Tools

The following is a selection of tools that target some of the most common systems and each offers a free trial, allowing you to test if this product would work for you.

A more detailed list of available infrastructure vulnerability scanning tools is available here, a list of web application vulnerability scanners here, and a more in-depth review between Nessus and OpenVAS is available here.

3rd Party Scanning vs Scanning Yourself

Depending upon your knowledge or experience with setting up and running a vulnerability scan, you may prefer to have a third-party security professional manage and maintain the scan for you.

Many security testing companies will offer a vulnerability scanning service, among a range of other types of security testing services, where they will run the scans and provide you with the results.

This can be cheaper than a more thorough penetration test and also more cost-effective than investing in multiple scanning tools yourself, but it will limit the frequency at which you can carry out and collect the scan results.

If you are initially unsure of a scanning product to choose, what the state of your security currently is, or would prefer some advice on what to do with the results of a vulnerability scanner, this can be a useful option if the third party is available to provide some guidance and consultancy.

This could involve an initial vulnerability scanning assessment provided by a third party, or working towards a security compliance standard that incorporates vulnerability scanning as part of its assessment, such as Cyber Essentials Plus.

How often should you vulnerability scan

A single vulnerability scan will provide insight into your security weaknesses at that specific point in time.

Unfortunately, there is a continual development of newly emerging threats and vulnerabilities which can change the amount of and type of security vulnerabilities, that your systems may be affected by, over time.

Due to this continual development of security threats, it is always recommended to carry out regular vulnerability scanning against your systems using some vulnerability scanning best practices, to identify if any of the latest threats impact your systems, and help you to proactively resolve these issues if they do.

The more regularly the vulnerability scans are carried out the better this can be for your security, however, some scanning tools can slow down the performance of your website or targeted device.

Also depending upon the type of target, or number of targeted devices, scans can take a significant amount of time to complete.

Depending on the type of device or system that you are using, security patches and updates may also be released regularly, sporadically, or in response to a new vulnerability being actively exploited.

Depending upon the release period for patching, you may wish to scan your systems at the same time as the patch release to identify any that may be impacted by the newly identified vulnerability.

The results of vulnerability scanning also need to be reviewed, and the solutions for a specific issue need to be applied, which, depending on response times to resolve issues, can increase the time taken between scans.

A balance should therefore be considered for how often you conduct a vulnerability scan, weighed against each of these potential issues.

While you may consider monthly vulnerability scans of your systems as adequate, you may want to increase or decrease the regularity of this depending upon the type of systems connected.

Additionally, wherever a security alert is released by your product vendor, you may want to have a reactive response plan in place, rather than potentially wait a week or month to react to a critical security alert.

Developing a vulnerability management solution can help solve the challenges of scanning, remediation, and verifying vulnerabilities are resolved, with several tool developed to automate this process as described here.

After running a vulnerability scan

A vulnerability scanning tool should as a minimum provide you with a set of results in the form of a scanning report. This report should detail the findings of the scan, detailing which security vulnerabilities you are affected by, and providing advice on what you can do to resolve these issues.

Depending on the scanning tools that are used, you may also be provided with some further useful information, such as a rating for the identified security vulnerabilities.

This is often an impact rating out of ten or from low to critical, depending upon the specific vulnerability rating systems that are used by the individual scanning tool.

You may also receive useful links to further details on the security weaknesses which were identified, or links to the guidance provided by a specific vendor to fix the issue on their systems.

What to do with vulnerability scan results

With the results of your vulnerability scans, one of the next steps is to try and fix each of the security flaws that were identified.

While there are a few tools that offer to identify and resolve security weaknesses, most do not provide the option to automatically resolve identified vulnerabilities. The tools that do offer this service, will also have limitations only working with specific types of systems and are likely to be more expensive than other types of scanning tools.

You may be in a position where you plan to resolve each of the identified issues yourself, in which case ensure the tools you pick provide detailed explanations of what the security flaws are and provide suitable explanations and links on how to resolve these flaws.

Alternatively, you may be working with a third party who manages your devices or systems for you. If this is the case, there are a few things to consider.

First, if the third party manages your systems, do they provide a vulnerability scanning service themselves or are they taking other steps to maintain or secure your systems.

Additionally, if you can provide the third party with a vulnerability scanning report, will they resolve any identified issues as part of their standard service, or will the work to fix any identified issues incur additional cost.

After receiving your scanning results, your priority should be to ensure the identified vulnerabilities are worked through and resolved, whether this work is done by you or a third party.

If there are a large number of identified vulnerabilities a further consideration should also be vulnerability prioritisation. While the impact ratings provided by your scanning tools can help guide this decision, prioritizing your vulnerability remediation can include multiple factors such as the business importance of a specific system impacted by a vulnerability or the type of data that may be compromised as a result of an attacker gaining access.

This can be managed as part of the vulnerability management lifecycle, which takes into account factors such as device and issue prioritization.

Conclusion

Vulnerability scanning forms an important part of a vulnerability management program, but should not be considered as a single solution.

Managing security can be complex, and requires multiple processes, systems, devices, and people all working together to ensure a fine balance between usability and security.

Setting up the right vulnerability scanner for you can be a great step towards improving your security, but this should only be a single part of your overall security strategy.

This strategy should make sure you have the appropriate processes in place to identify security issues, ensure the issues are reported appropriately, and have the right people in place to act upon and resolve issues, all backed up by verifying every step to ensure everything is working as intended.

Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.