What was the last company you heard about that got hacked? Do you know how the attackers got in? Oftentimes the first step in an attack is to scan the victim's systems for vulnerabilities to exploit. Modern organizations need to regularly evaluate their own systems so administrators can close holes to improve security. One way organizations can do this is to proactively run their own vulnerability scans to discover issues with systems, so the issues can be remediated before an attacker takes advantage of them.
A vulnerability scanner is a computer program that assesses computers, networks, or applications for known weaknesses. These weaknesses are vulnerabilities that attackers can exploit to gain unauthorized access or otherwise cause harm. System administrators constantly patch systems to fix vulnerabilities, but sometimes administrators miss patches. Vulnerability scans catch missed patches, and they can also catch misconfigurations. A misconfiguration is when a system's options have been set incorrectly or sub-optimally, which may lead to vulnerabilities. Examples of misconfigurations include administrator credentials that have not been changed from the defaults, ports that are unnecessarily left open, and incorrect permissions that allow users access that they should not have.
The Importance of Vulnerability Scans
If a system is missing patches and has misconfigured settings that makes it much more vulnerable to attack. It's important to note that patches don't necessarily fix system misconfigurations, so a system that was deployed in a misconfigured state could stay that way indefinitely if no one ever notices the misconfiguration, even if it is patched regularly. A vulnerability scan will reveal the issue so an administrator can adjust the system's configuration to improve security.
Vulnerability scanning is important because systems on the Internet are constantly scanned and attacked. Even if you aren't running vulnerability scans on your Internet-facing systems, someone else is, and they don't have your best interests in mind. The global nature of the internet allows criminals in faraway places to attack your systems with relative impunity, and they are always scanning for unpatched systems to exploit. Even if a patch already exists for a given vulnerability, criminals can exploit the lag time from the vulnerability becoming known and a patch being released to a given system being patched. This is why patching systems in a timely manner is critical and running a vulnerability scan will help reveal missing patches that need to be applied.
The value of vulnerability scanning isn't just limited to Internet-facing systems. It's also useful to run vulnerability scans on internal systems, so that any issues found can be fixed. This improves the security of your internal network and could keep an attacker that has established a foothold inside your internal network from moving from system to system and escalating their privileges.
Vulnerability Scan EVERYTHING
When you scan systems on your internal network, make sure you scan everything. This must include Internet of things (IoT) devices as well as more traditional network-connected devices such as printers. IoT devices and printers often have vulnerabilities, and they probably aren’t patched anywhere near as often as your servers, laptops, and workstations are patched. Printers and IoT devices generally don’t automatically update their firmware, and people don’t always think of them when thinking about patching, so patches that do exist may not get applied. They also have less sophisticated defenses – your printer doesn’t have an antivirus program. It’s important to keep on top of patching these devices, because once attackers compromise one IoT device or printer, they have a base on your network that they can use to move on to attack servers and other systems. At one North American casino that got hacked, the hackers gained access via an internet-connected fish tank.
Some cheap IoT and other devices have unpatched vulnerabilities that will never be fixed for a variety of reasons. Oftentimes it’s not profitable to fix bugs in low-cost IoT devices, so there is no support provided. Or maybe the vendor no longer exists because they went out of business. Or perhaps the device doesn’t meet the minimum specifications to handle a newer version of firmware that fixes the vulnerability. Running a vulnerability scan will highlight these permanently vulnerable devices, so a system administrator can determine if they need to be isolated or removed from the network entirely. In some cases, it may be possible to fix issues by turning off vulnerable services on the device.
Two Types of Vulnerability Scans:
These are run with system credentials to allow the vulnerability scanner to more fully scan systems. For example, someone running an authenticated scan of a Windows Active Directory environment will often use domain administrator credentials when running the scan to allow for a more comprehensive scan. The use of domain administrator credentials allows the scanner to more fully evaluate systems on the domain, because a domain administrator account has a high level of access to systems on the domain.
These do not use any system credentials to scan assets. They often result in a higher number of false positives and provide less detailed results than an authenticated scan. An unauthenticated scan of a Windows Active Directory environment would still produce results, but the scan is run with the access of an unauthenticated user, so it is much more limited in terms of how it can evaluate systems for vulnerabilities. Typically, attackers run unauthenticated scans because they lack credentials, but they are also used by security analysts, often on external assets to simulate the behavior of an attacker.
Fixing and Interpreting Vulnerability Issues
After running a vulnerability scan, you must interpret the results and prioritize what to fix. This is where an experienced IT professional can provide value. Vulnerability scanning tools typically generate a report which will list each system scanned and vulnerabilities found. Most vulnerability scanners include a rating for the severity of each vulnerability and steps to remediate it, which may include links to patches. Smart system administrators focus on fixing the most severe issues first and are able to sort out which "vulnerabilities" reported are actually false positives.
While anyone can run a vulnerability scan, it's the interpretation of the results that's key. The quality of the report generated varies from tool to tool, and the quality of scanning tools themselves vary, so it's critical to have a skilled IT professional to select the correct vulnerability scanning tool, run the scan, review the results, and prioritize and perform remediation work.
Would you like help with vulnerability scanning? Contact iuvo technologies today!