A Vulnerability Scanner: What They Are And How They Work
The Vulnerability Scanning Process
A vulnerability scanner issues requests to your targeted asset, whether this is a laptop, server, or application, and conducts an analysis of the response it receives.
The information derived from the response can help to identify the open and accessible services, operating system versions in use, running versions of software, and other important details.
The collected information is compared against a database of known vulnerabilities to highlight any security issues that your asset is likely affected by.
This article includes information regarding Tenable products. Forge Secure is now a Tenable partner and reseller which should be taken into account with any reviews or recommendations.
The Types Of Vulnerabilities Scanners Identify
The type of vulnerabilities a scanning tool can identify can depend upon the individual scanner and the assets it is designed to conduct scans against.
While most tools will aim to identify missing patches and security misconfigurations in their targeted asset, there can be vulnerabilities specific to certain assets, such as cloud environments and web applications.
For example, an infrastructure vulnerability assessment of your laptops, desktops, and servers will produce information related to missing patches, security misconfiguration, and potential issues with user accounts and weak passwords.
While a Web vulnerability scanner or API scanner will also highlight application-specific vulnerabilities such as Cross-Site Scripting and SQL Injection.
The Importance Of Vulnerability Scanning Tools
New vulnerabilities continue to be identified. The National Vulnerability Database (NVD) has over 26,000 new vulnerabilities reported this year alone, as of August 2024.
Around half of businesses in the UK have also reported experiencing some form of cybersecurity incident in the last 12 months, according to government statistics.
Attackers most commonly conduct untargeted attacks. This does not involve targeting a specific company or individual, but instead relies on targeting as many people and companies as possible, with the aim that a small percentage will result in successful exploitation.
Your business can become the victim of these untargeted attacks if best practice security principles are not put in place, such as configuring all your devices to a secure standard, such as the CIS benchmarks, and conducting regular vulnerability scans to protect against a continually changing vulnerability landscape.
Automated Vulnerability Scanning
New threats and vulnerabilities are continually identified by security researchers and these reported security flaws are then used to update a vulnerability scanners database of known vulnerabilities.
Conducting regular, automated, and scheduled scans of your assets is an important part of your vulnerability management program as it helps to identify these newly reported security issues and ensures your assets stay protected over time.
Depending on your specific asset and how critical its security is to your business, daily, weekly, or monthly scans may be appropriate to help maintain your asset security.
Vulnerability Prioritization of Scanning Results
As vulnerability scanning tools produce results and highlight security issues that impact your assets, it is important to address each of the issues that are raised to secure your business.
As the number of vulnerabilities increases, addressing each issue in a prioritized order becomes more relevant, as it can take time to resolve security flaws, and not every issue represents critical vulnerabilities within your assets.
Vulnerabilities are typically graded on how impactful they are to the security of your business such as Low, Medium, High, or Critical. The grading system is often derived from the Common Vulnerability Scoring System (CVSS) which scores vulnerabilities from 0-10.
Prioritizing your critical vulnerabilities over more low-risk issues will be the default method to address security issues within your business, although the business context and location of your assets are important factors with many vulnerabilities.
Following a vulnerability prioritization process as highlighted in the following post, can be useful to more effectively secure your business from security threats.
Vulnerability Scanning Tools
Vulnerability Scanning tools are typically built for one specific asset type such as web applications, cloud infrastructure, or specific operating systems.
For the security of any business, it is important to conduct a security review of all of your assets, as a single security flaw can often be exploited by attackers to gain access to your organization, your accounts, and your data.
It is often more cost-effective to implement a more well-rounded tool which is a complete security solution providing comprehensive coverage of all of your assets, rather than multiple individual products.
Solutions such as the Qualys TruRisk Platform and Tenable One Platform aim to provide a broad range of cover for all business assets.
Attack Surface Management Scanner
While an external network scanning tool aims to conduct vulnerability scans against the specific internet-facing assets you define, an attack surface management tool aims to conduct discovery scans to find additional assets you haven’t defined.
As a company grows in size, merge, or are bought out, there can be a range of IT assets and resources that are not properly tracked or logged.
In addition to your website’s primary domain, there can be a range of subdomains that have been set up, alternative domains registered, open ports and services, and other accessible resources.
An external discovery scan aims to identify each resource your company has which is accessible online. The discovered assets can then be managed correctly, receive vulnerability scans, or removed if no longer needed.
Solutions such as Tenable Attack Surface Management or Qualys External Attack Surface Management are effective for the management of your external assets.
External Network Vulnerability Scanner
External network vulnerability scanning tools target your internet-accessible systems, to identify what is accessible and review each exposed service for potential vulnerabilities.
Your external systems may include VPN solutions, Web Applications, Remote Administration services, and other solutions your business makes use of which can be connected to over the internet.
As these systems are internet-facing, they will often form the target of an attacker aiming to identify vulnerabilities and gain access to your business.
Conducting regular external assessments can help mitigate potential security risks and avoid exploitation from the most recently identified security vulnerabilities.
Solutions such as Tenable Vulnerability Management or Qualys Vulnerability Management Detection And Response are effective for the management of your external assets.
Internal Network Vulnerability Scanner
Internal networks and vulnerabilities will typically refer to any of your assets that are not directly accessible over the Internet.
While an attacker may not have direct access to your internal assets, security vulnerabilities can still be targeted through a variety of attack types such as Phishing.
It is important to maintain the security of your internal assets to ensure that attackers are not able to escalate their privileges or access within your network, should an initial vulnerability be exploited that grants them access to one of your network-connected devices.
Solutions such as Tenable Vulnerability Management or Qualys Vulnerability Management Detection And Response are effective for the management of your internal assets.
Web Applications Vulnerability Scanner
Dynamic Application Security Testing
DAST security testing aims to replicate the actions of an attacker by interacting with an application and monitoring its responses for potential web application vulnerabilities.
This type of testing doesn’t review the underlying code of an application but can assess a wide range of vulnerabilities such as how different areas of an application interact, or how the application interacts with separate systems.
Static Application Security Testing
SAST security testing is designed to assess the source code that is used by an application. This can be a web application or other system.
As this type of security testing reviews the underlying security of the code an application is built with, it can often be incorporated into the development process of a product.
Development sprints can incorporate both functionality testing and security testing to ensure that at each stage of the development process, the code that is produced is functional and secure.
Both SAST and DAST can help to identify vulnerabilities, while an application is in development and then during its running operation. The two types of testing often complement each other and shouldn’t be considered as alternatives to each other.
Solutions such as Tenable Web App Scanning or Qualys Web Application Scanning are effective for the management of your web applications.
API Vulnerability Scanner
API security testing has many similarities to Web Application vulnerability testing and can also be tested using both SAST and DAST security testing tools.
Websites and APIs often use the same or similar request types, with the most notable exception of APIs often being the methods of authentication or the lack of a standard user-friendly interface.
Many web application security scanners will often provide options for API security testing, with specific methods available to ensure any necessary authentication and access permissions can be set up for your API.
Solutions such as Tenable Web App And API Scanning or Qualys Web Application And API Security are effective for the management of your APIs.
Cloud Infrastructure Vulnerability scanner
As businesses have migrated more of their resources to different cloud environments such as Azure, AWS, and Google, vulnerabilities specific to cloud infrastructure have been identified.
These vulnerabilities can often undermine the perceived security of migrating a business’s resources to the cloud, and similar to any asset or resource within a business, it is important to conduct regular vulnerability scanning to ensure that no vulnerabilities are present within your environments.
Cloud security scanning can assess the underlying infrastructure that is in use, such as operating systems and virtual machines.
However, another type of cloud security scanner involves an assessment of how your cloud environment is configured and the user accounts and permissions that have been granted to your accessible resources.
A broad range of cloud-specific security issues can impact your business, and as your cloud environments are always online it is important to ensure their security and minimize any potential for exploitation.
Solutions such as Tenable Cloud Security or Qualys Cloud Workload Protection are effective for the management of your cloud environments.
Open Source Vulnerability Scanner
Open-source tools are designed for their code and development to be publicly accessible. This allows others to contribute to the tool’s development or to make separate iterations of the initial tool.
As open-source tools often rely on many voluntary contributions, their development can typically be slower, with fewer features than paid-for alternatives.
Alternatively, the open-source tools often have a free version and a paid-for version, with the paid version used to supplement the development of the free version.
OpenVAS is an example of an open-source vulnerability scanner that can be used to conduct infrastructure scans of your external or internal network.
Agent-Based And Network-Based Vulnerability Scanner
Network-Based Vulnerability Scanner
As you scan your business network for vulnerabilities there are often two main methods of scanning.
Network-based vulnerability scanners are installed onto a central device such as a server and are used to scan all other devices connected to the same network.
This type of scanning can be useful as it conducts network discovery scanning to find devices on your network and also assess each found device for vulnerabilities.
Where your business is growing, hasn’t implemented any method to track the devices on your network, and potentially has unknown devices connected to your business network this can be helpful to track each of your assets.
Network scanning can also be useful for specific types of devices where vulnerability scanning software cannot be installed on the device.
Agent-Based Vulnerability Scanner
Agent-based scanners are an alternative to a network vulnerability scanner. With an agent-based scanner, software applications are installed on each of your devices. Each device then performs a vulnerability scan of itself and sends the results to a central location for review.
This type of scanning can be useful where your company has many users who work remotely or travel for work and their devices may not always be accessible from a central vulnerability scanner.
However agent-based scanning isn’t intended for network discovery scans, and can only apply to devices where the vulnerability scanning software products can be installed.
Penetration testing vs Vulnerability Scanning
While vulnerability scanning is important for any organization to identify security flaws and protect your business, manual penetration testing engagements still form a crucial part of your company’s vulnerability detection program.
Vulnerability scanning tools contain limits to how they can be implemented and also the types of vulnerabilities they can identify. Business context is often not implemented within scanning tools, leading to issues with reporting accurate impact ratings.
Security professionals conducting an assessment will use a combination of scanning tools and manual testing techniques to provide a more in-depth assessment of a particular asset and produce customizable reporting that more accurately reflects your state of security.
Scanning and Penetration testing are both necessary for security testing programs and should be considered complementary to each other, rather than thought of as in opposition to each other.
For more detailed information on the differences between vulnerability scans and penetration tests see the following post here.
False Positives Within Vulnerability Scanners
When conducting vulnerability scans against your systems, it is important to understand the process with which a scanner operates.
As scanners monitor an asset’s responses, they will try to automatically determine a device type, running service, or version information from the received response.
When the received responses do not match the type of response the scanner is expecting, it can lead to errors in how vulnerabilities are reported. This can produce a false positive, where a vulnerability is listed which your assets are not affected by.
However, it can also produce false negatives, where your assets are reported to have no vulnerabilities but are still affected by security issues.
Understanding the process of a scanner, its limits, and where the scanner may fail is important to your vulnerability management program, as it allows your business to plan manual checks, implement additional security measures, and schedule manual penetration testing engagements to provide more broad coverage of your assets and their potential security flaws.
Unauthenticated Scanning vs Authenticated Scanning
Unauthenticated scans are designed to connect over a network to your assets and assess the security of your systems in the way an attacker may initially view your assets, with no prior authorization.
Authenticated scanning of your assets, involves providing usernames and passwords to the scanner configuration so that it can log in to your asset and conduct additional security tests against authenticated areas of your asset.
This can be important to see a more complete set of vulnerability results that your assets may be impacted by.
Unauthenticated scans are useful to view more critical issues that an unauthenticated attacker can exploit, whereas authenticated scans are useful for in-depth and complete coverage, and also to understand the vulnerabilities that may be exploited if a user account were to be compromised.
Both types of scanning are important to conduct, as it helps to visualize your security threats from a range of different perspectives and access conditions.
Vulnerability Management And Vulnerability Scanning
The setup of a vulnerability scanning tool forms one part of an overall vulnerability management program which also includes:
- Identify and Prioritize Your Assets
- Identify and Prioritize Your Vulnerabilities
- Reporting Vulnerabilities To Different Business Teams
- Addressing Vulnerabilities and Verifying The Remediation Process
- Continual Monitoring And Improvement
To effectively manage the vulnerabilities your scanning tools highlight it is important to assign business roles and implement processes that can ensure your security flaws are each resolved.
Conclusion
Vulnerability scanning forms an important part of any company’s vulnerability management system and should be implemented across your managed assets, set up as an automated scanning solution to continually provide your business with new information to detect vulnerabilities.
Although vulnerability scanning should be conducted, one scanning tool or product often will not work for every business.
There is a wide range of available options for scanning, with different features, and price points, allowing every company to begin implementing some fundamental security practices within their business to improve their overall security posture.
Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.