Vulnerability scanning is a method of identifying vulnerabilities, or weaknesses, in the configuration of information technology systems. It is often performed by software that scans networks and computers for known vulnerabilities or exploits without attempting to exploit them.
This type of scanning can be done manually with the help of various tools, such as:
- Vulnerability scanners
- Port scanners
- Authentication crackers
Vulnerability scanning vs penetration testing
Vulnerability scanning is the process of identifying vulnerabilities or weaknesses on a target system. Penetration testing goes one step further by attempting to exploit any identified vulnerabilities that were discovered during vulnerability scanning.
Key differences between vulnerability scanning and penetration testing
- Vulnerability scans can locate vulnerabilities without exploiting them. Penetration testers exploit vulnerabilities to gain access to systems.
- Vulnerability scans are usually performed by an organization’s own employees and contractors, who have been expressly authorized by the company. Penetration testers do not require authorization to perform their tests – they may conduct more extensive probing in order to find less obvious weaknesses which could lead to data breaches if undiscovered.
- Vulnerability scans are usually performed over a longer period of time, with periodic reviews. Penetration tests usually take place on short notice, and they are often conducted more thoroughly than vulnerability scans.
It is important to be aware that both methods can locate vulnerabilities which could lead to data breaches if left unchecked – the difference between them lies in how each method approaches their task.
How vulnerability scanning works
Vulnerability scanning software is installed on the system to be scanned and configured according to your needs.
It will then crawl through a preconfigured list of vulnerabilities, looking for them in places such as databases, websites, scanners running on local ports (e.g., FTP or SSH), etc., where it finds one that matches what you are looking for. Next, it reports back with more information about its findings.
If these tests turn up any vulnerabilities – e.g., outdated packages which could contain known security flaws – they are reported so that an IT administrator can take remedial action. This usually involves installing updates or patching vulnerable areas until security patches become available.
Vulnerability management process
After the vulnerability scans are completed, it is important to take action. Vulnerabilities found by vulnerability scanning software will need to be addressed for security purposes.
A few ways that this might happen include updating packages or configuring firewalls. The result of these steps could mean a company has less exposure and risk from potential attacks because the weaknesses have been fixed.
Why you should consider using a vulnerability scan
It’s an affordable and efficient way to find out if your system is secure, or what security gaps you may have.
Scanners are easy to use; they can be accessed remotely by the vendor while still allowing full control over the user environment.
Types of vulnerability scans
There are many types of vulnerability scans that a company can conduct, and each type has its own strengths and weaknesses.
Network-based scanners scan a network or computer for vulnerabilities, and they can identify the type of vulnerability by looking at data packets.
However, network-based scanners cannot detect vulnerabilities that are not in data packets.
Another limitation is the inability to scan wireless networks and computers without a physical connection (such as with Bluetooth) or if access credentials have been changed.
Host-based scanners scan individual computers on a given network to determine if any are running outdated software with known security flaws that might leave them vulnerable.
They may also be able to detect hidden devices connected to the company’s networks which could compromise their system defenses against malicious attacks.
It is important not only to have an up-to-date antivirus program but also firewall protection as well in place when conducting this kind of scanning because it will help prevent unauthorized access into your systems from outside connections.
Wireless vulnerability scanners identify rogue access points and verify that a company’s network is securely configured.
Wireless scanners are used to detect any wireless networks that exist on the same frequency as an organization’s network.
If no unauthorized networks are detected during the vulnerability scan, it means that all systems inside of your company’s network are using encrypted connections and cannot be accessed by someone on the outside.
However, if unauthorized wireless signals are detected, it means that someone was able to wirelessly connect their computer or device to your network.
A vulnerability scan will then identify the IP address that these signals are coming from and see if they match any other devices inside of the company’s firewall. If not, this means that an outside hacker may be trying to access one of your company’s devices.
There are two types of application scanners: passive and active.
Passive Application Scanning
Passive application scanning means that it will not interact with the web server or device, instead it will monitor its performance, logging information such as success rates for logins and file downloads.
Active application scanning
Active application scanning is when a scanner sends queries to test against vulnerabilities in an application or system’s configuration by using automated scripts written to look for specific aspects of vulnerability.
Database scanners, like application scanners, come in two types: passive and active.
Passive database scanning
Passive database scanning is when a scanner monitors the performance of databases to look for any signs that unauthorized access attempts are being made or data has been tampered with.
Active database scanning
Active database scanning will interact directly with an application’s software by using automated scripts written to use various techniques such as injecting SQL queries (code) into input fields on web pages and comparing results between servers. Active searches may also monitor for other attacks, like buffer overflows and injection flaws in processing code used by applications.
External vs internal vulnerability scans
External scans are conducted by scanning the outside of a system, and looking for exploitable vulnerabilities. External vulnerability scans often look at:
- DNS servers
- Web services
from the outside to find any exploitable weaknesses on an organization’s perimeter.
An internal scan is one that looks within a network or computer environment – typically using automated scripts like those used in active database scanning.
A lot of organizations opt for both internal and external vulnerability testing because each type has distinct advantages and disadvantages. Internal tests offer continuous monitoring without affecting performance but may be hampered if there are no other systems available to test against (a third-party). On the other hand, external tests provide some level of assurance as they will be able to identify vulnerabilities that an organization may not be aware of.
Authenticated vs unauthenticated vulnerability scans
An authenticated scan is one that requires a username and password to access the network. This type of vulnerability analysis provides an in-depth view into more than just device vulnerabilities but also gives information about the organization’s security posture (e.g. what types of protections it has).
An unauthenticated scan only tests for devices on the perimeter, which may not be as detailed or accurate.
Complementary security measures
Most organizations use a range of complementary security measures to eliminate vulnerabilities and ensure comprehensive coverage.
These may include such things as:
- Application firewalls
- Backup power supply
- Cybersecurity insurance policies
The most important thing is that these different types of protection should be carefully mapped out in order to create an effective defense plan for the organization.
How often to scan your systems
It is recommended that regular vulnerability scans be conducted on systems at least annually, with more frequent scanning being required in industries such as healthcare and finance.
Integration into your overall it strategy
The cybersecurity landscape continues to see dramatic changes and it’s important for organizations of all sizes to integrate a comprehensive security program into their overall IT strategy in order to protect themselves from cybersecurity threats.
If an organization is only worried about data breaches or system crashes then a smaller amount of scanning may be appropriate for them.
If on the other hand, an organization wants protection against targeted cyberattacks by highly sophisticated actors as well as insider threats then they will need more frequent vulnerability scans.
Some organizations choose to use vulnerability scanning as a hygiene-based system. This is when they will only run scans periodically and not proactively because the organization does not want to pay for ongoing security services, but would like some level of protection against external cyberattacks or data breaches.
Another way organizations might use vulnerability scanning is as a compliance-based system. This is when an organization scans their environment to ensure they are compliant with industry regulations like PCI-DSS or ISO 27001.
Common vulnerabilities detected by automated scanning
There are many types of vulnerabilities that can be detected by automated scanning. Some examples include:
- Operating system configuration issues, such as weak or no passwords on administrative accounts
- Outdated applications and patches that have not been applied to the system
- Potentially unauthorized software installed without a company’s knowledge
- Inaccurate security settings that leave an open door to hackers
- Missing data encryption – when encryption keys are missing, the data on your hard drive can be accessed and changed
- Weak network security, leaving a company open to data breaches
Things to consider before running your own scan
- What are you trying to scan? This should be a specific list of hosts/systems that need scanning.
- Do you have permission from the owner(s) of these systems to perform this task on their behalf? If not, do they know about it and approve it?
- What is your goal in performing this vulnerability assessment or penetration test against these systems? Is it for personal gain or educational purposes only (or something else)? You’ll want to clarify what your goals are before proceeding with any work.
- What are the potential impacts for these hosts from your assessment? Do you have permission to do what’s required and will it cause any downtime or other problems if so, how severe could this be? What are the potential risks that could arise from vulnerability scanning or penetration testing against these systems?
How to prepare for running a vulnerability scan
The following steps should be followed to conduct a vulnerability assessment:
Identify the systems that are going to be assessed
These can include Windows, Unix/Linux, network devices and more. It’s important that these hosts meet specific criteria in order for them to produce accurate results during scanning including having an open TCP port (usually 80) or they must have SNMP enabled on their system.
Perform preliminary research before starting your scan
Review event logs from previous days/weeks to review potential problems that may have occurred in the recent past. Next, check for known vulnerabilities associated with software installed on the system. You should also check for necessary permissions and whether remote login is enabled – if so, change passwords before scanning begins.
Select your host and configure authentication information
Select the host you want to scan and configure any necessary settings. This could include selecting a network range or adding an IP address and port to scan.
You should also configure authentication information for your scanning tool if you are using one. This may entail setting up X11 forwarding as well so that the tool can authenticate on behalf of another user.
Choose the type of vulnerability scanning to perform
You’ll want to choose a specific type of scan and make sure that all systems meet the criteria necessary for them to produce accurate results during vulnerability assessment before performing any assessments with each system at risk if possible. This includes having an open TCP port or SNMP enabled on their system as mentioned earlier.
Advantages of vulnerability scanning
- A vulnerability scan can be used as part of your disaster recovery plan by identifying what systems need backups or any critical patches before an event occurs.
- Vulnerability scans are also helpful for compliance reasons – if you’re mandated to do so by law, or want to ensure customer data stays protected at all times (as required in many industries).
- It can help to identify any potential threats against a system (or systems) and the risk they pose
- It could be used as an early warning system for intrusions or other security breaches, which means it might save your company from losing valuable data.
- The results of a vulnerability scan can also show where you’re most vulnerable – so this information is useful if you want to set up some extra protection against those vulnerabilities in the future. You may find that one thing imposes more risk on your network than another, but with just the right backup plan in place, this won’t ever cause too much concern in the long run.
Disadvantages of vulnerability scanning
- The time and labor costs can be significant, especially if there are many systems or endpoints to scan.
- Vulnerability scanning tools only detect vulnerabilities – they don’t fix them. You need a plan in place for how you’ll apply the patches once identified, which might include scheduling downtime or some other process.
- It’s possible that not all threats will show up during an initial scan because these scans typically focus on common known vulnerabilities. For example, assuming no antivirus software was already installed and it was up-to-date, a scan would show that the system is vulnerable to viruses and malware.
Frequently asked questions about vulnerability scanning
Which areas does vulnerability scanning cover?
Vulnerability scans are typically designed to analyze the following areas:
- Commonly exploited applications
- Web browser configuration
- Password strength of accounts found
- Potentially missing updates and patches
Why vulnerability scanning is important?
Vulnerability scanning is important because companies are releasing software and mobile apps to the public without properly testing them for security vulnerabilities. These products may not have malicious code, but they will be vulnerable to hacking or intrusion from third parties looking to steal data or take control of a system.
Vulnerability scans will help you:
- Identify security gaps – a common problem since most companies don’t have enough manpower to go up against hackers who are constantly trying new tricks to exploit their systems
- Detect unpatched software – this gives business owners time to patch before attackers even get a chance to try anything malicious
- Find vulnerabilities that are not yet public – the scans can help identify the weak points of your software before it’s released to a wider audience
- Simulate how an attacker would have to gain access and execute commands by guessing passwords, exploiting vulnerabilities in the system, injecting malicious code through security holes.
How to prevent malicious vulnerability scanning?
- Identify all the IPs that are trying to access your network and infrastructure
- Monitor traffic at multiple layers of the stack
- Block spoofed packets from remote networks inbound or outbound. The best way is to have a diverse routing topology with redundant links connecting different parts of the enterprise
- Disable any unused ports on firewalls, switches and routers – this will prevent hackers from accessing backdoors for intrusions into internal systems
- Make sure that the people who are allowed to perform vulnerability scans on a machine know where everything is (including passwords and sensitive data)
What is a false positive and a false negative in vulnerability scanning?
A false positive is when a system administrator believes there is an intrusion or virus on the machine but it really isn’t.
A false negative happens when a vulnerability scanner doesn’t detect any vulnerabilities but there actually are some.
Simply put: False positives mean you’re safe; while false negatives mean your risks go up.
What types of compliance require vulnerability scanning?
Vulnerability scanning is often required for compliance with the Payment Card Industry Data Security Standards (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA). The number of other compliance requirements that require vulnerability scans can vary from organization to organization.
What types of vulnerabilities are scanned?
The primary types of vulnerabilities include:
- Authentication bypasses
- Sensitive information disclosure
- Misconfigurations in servers or networks
The more specific type will depend on what industry you work in as well as your company guidelines. For example: In healthcare, a key focus may be ensuring systems comply with HIPAA standards by not storing any personal health identifiers such as social security numbers in electronic media. A web application may also be scanned for common configuration issues such as missing security headers and SSL certificates.
Schedule Your Demo
Tired of your website being exploited by malicious malware and bots?We can help
Subscribe and stay updated
Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.