What Is Vulnerability Scanning And Why Is It Important?

What was the last company you heard about that got hacked?  Do you know how the attackers got in?  Oftentimes the first step in an attack is to scan the victim's systems for vulnerabilities to exploit.  Modern organizations need to regularly evaluate their own systems so administrators can close holes to improve security.  One way organizations can do this is to proactively run their own vulnerability scans to discover issues with systems, so the issues can be remediated before an attacker takes advantage of them. 

Vulnerability Scanning

A vulnerability scanner is a computer program that assesses computers, networks, or applications for known weaknesses.  These weaknesses are vulnerabilities that attackers can exploit to gain unauthorized access or otherwise cause harm.  System administrators constantly patch systems to fix vulnerabilities, but sometimes administrators miss patches.  Vulnerability scans catch missed patches, and they can also catch misconfigurations.  A misconfiguration is when a system's options have been set incorrectly or sub-optimally, which may lead to vulnerabilities.  Examples of misconfigurations include administrator credentials that have not been changed from the defaults, ports that are unnecessarily left open, and incorrect permissions that allow users access that they should not have.

Vulnerability Scanning Types

Internal vs. External Scans:

• Internal Vulnerability Scans:

  • Conducted within the organization's network.
  • Identifies risks inside the network that could be exploited by an attacker who has penetrated the network perimeter or by an insider threat.
  • Scans for misconfigurations, unpatched software, and insecure user practices.

• External Vulnerability Scans:

  • Performed from outside the organization's network.
  • Simulates an external hacking or cyber attack.
  • Focuses on the organization's external-facing servers, firewalls, and network infrastructure to find vulnerabilities that could be exploited by external threats.

Intrusive vs. Non-Intrusive Scans:

• Intrusive Vulnerability Scans:

  • Actively test security mechanisms to find vulnerabilities.
  • Can potentially disrupt the operation of systems or services.
  • Often includes attempts to exploit identified vulnerabilities to determine their potential impact.

• Non-Intrusive Vulnerability Scans:

  • Passively check systems for vulnerabilities without actively exploiting them.
  • Lower risk of disrupting system performance or operations.
  • Ideal for production environments where maintaining uptime is critical.

Considerations for Conducting Scans:

• It is crucial to balance the thoroughness of the scan with the potential impact on system performance and user productivity.
• Scheduled scans during off-peak hours can minimize disruption for intrusive testing.
• Regularly updating the vulnerability database ensures the scanner can detect the latest known vulnerabilities.
• Scans should be followed by a risk assessment to prioritize the remediation of detected vulnerabilities based on their potential impact.
• Comprehensive scanning should include both internal and external scans to cover potential threats from both inside and outside the organization.
• Documentation and reports generated from scans should be carefully reviewed to inform security posture improvements and compliance with security policies and standards.

Why is Vulnerability Scanning Important?

If a system is missing patches and has misconfigured settings that makes it much more vulnerable to attack.  It's important to note that patches don't necessarily fix system misconfigurations, so a system that was deployed in a misconfigured state could stay that way indefinitely if no one ever notices the misconfiguration, even if it is patched regularly.  A vulnerability scan will reveal the issue so an administrator can adjust the system's configuration to improve security. 

Vulnerability scanning is important because systems on the Internet are constantly scanned and attacked.  Even if you aren't running vulnerability scans on your Internet-facing systems, someone else is, and they don't have your best interests in mind.  The global nature of the internet allows criminals in faraway places to attack your systems with relative impunity, and they are always scanning for unpatched systems to exploit.  Even if a patch already exists for a given vulnerability, criminals can exploit the lag time from the vulnerability becoming known and a patch being released to a given system being patched.  This is why patching systems in a timely manner is critical and running a vulnerability scan will help reveal missing patches that need to be applied. 

The value of vulnerability scanning isn't just limited to Internet-facing systems.  It's also useful to run vulnerability scans on internal systems so that any issues found can be fixed.  This improves the security of your internal network and could keep an attacker that has established a foothold inside your internal network from moving from system to system and escalating their privileges. 

Scan All Resources For Vulnerabilities

• Comprehensive Scanning:

  • Ensure every device on the internal network is scanned, not just computers and servers.

• Inclusion of IoT Devices:

  • Include Internet of Things (IoT) devices in the scanning process.
  • Acknowledge that IoT devices often have vulnerabilities due to infrequent patching.

• Traditional Network-Connected Devices:

  • Remember to scan devices such as network-connected printers.
  • Understand that these devices usually do not update firmware automatically.

• Patching Practices:

  • Be aware that printers and IoT devices are often overlooked during patch updates.
  • Actively manage and apply available patches to these devices.

• Device Defenses:

  • Recognize that devices like printers typically lack sophisticated defenses, such as antivirus programs.

• Security Implications:

  • Keep on top of device patching to prevent attackers from using them as a base to attack more secure systems.
  • Realize the potential for any networked device, no matter how innocuous, to serve as an entry point for hackers (e.g., a casino's network was compromised through an internet-connected fish tank).

Some cheap IoT and other devices have unpatched vulnerabilities that will never be fixed for a variety of reasons.  Oftentimes it’s not profitable to fix bugs in low-cost IoT devices, so there is no support provided.  Or maybe the vendor no longer exists because they went out of business.  Or perhaps the device doesn’t meet the minimum specifications to handle a newer version of firmware that fixes the vulnerability.  Running a vulnerability scan will highlight these permanently vulnerable devices, so a system administrator can determine if they need to be isolated or removed from the network entirely.  In some cases, it may be possible to fix issues by turning off vulnerable services on the device. 

Two Types of Vulnerability Scans:   

Authenticated

These are run with system credentials to allow the vulnerability scanner to more fully scan systems.  For example, someone running an authenticated scan of a Windows Active Directory environment will often use domain administrator credentials when running the scan to allow for a more comprehensive scan.  The use of domain administrator credentials allows the scanner to more fully evaluate systems on the domain because a domain administrator account has a high level of access to systems on the domain. 

Unauthenticated

These do not use any system credentials to scan assets.  They often result in a higher number of false positives and provide less detailed results than an authenticated scan.  An unauthenticated scan of a Windows Active Directory environment would still produce results, but the scan is run with the access of an unauthenticated user, so it is much more limited in terms of how it can evaluate systems for vulnerabilities.  Typically, attackers run unauthenticated scans because they lack credentials, but they are also used by security analysts, often on external assets to simulate the behavior of an attacker. 

Fixing and Interpreting Vulnerability Issues

After running a vulnerability scan, you must interpret the results and prioritize what to fix.  This is where an experienced IT professional can provide value.  Vulnerability scanning tools typically generate a report which will list each system scanned and vulnerabilities found.  Most vulnerability scanners include a rating for the severity of each vulnerability and steps to remediate it, which may include links to patches.  Smart system administrators focus on fixing the most severe issues first and are able to sort out which "vulnerabilities" reported are actually false positives. 

While anyone can run a vulnerability scan, it's the interpretation of the results that's key.  The quality of the report generated varies from tool to tool, and the quality of scanning tools themselves vary, so it's critical to have a skilled IT professional to select the correct vulnerability scanning tool, run the scan, review the results, and prioritize and perform remediation work. 

Would you like help with vulnerability scanning?  Contact iuvo today for a FREE IT Assessment!

Need assistance with something else or want to read more informational content? Check out a few of our blogs below: 

• Human Firewalls: What They Are and Why They’re Important
• The Business to Scammer (B2SCAM) Tactic 
• How Cybersecurity Works
• How Cybersecurity Differs From Enterprise Security