On Vulnerability Scan(ner)(ning)
A few days ago,
we talked about “vulnerability assessment”
and “vulnerability management”
in this blog.
This time
we will focus on “vulnerability scanner” and “vulnerability scanning.”
With the intention of linking all these terms,
we can say in advance that
a vulnerability scanner is a tool
with which vulnerability scanning is carried out.
This scanning is a form of vulnerability assessment,
which is one of the necessary operations
within a vulnerability management program.
Let’s take a look at the definitions,
common classifications
and pros and cons of vulnerability scanners and vulnerability scanning.
What is a vulnerability scanner?
Let’s consider each of the words
that make up this term
and look at their general meanings
to enlighten us before we get into the cybersecurity field.
According to the Oxford dictionary,
“vulnerability” is “the fact of being weak
and easily hurt physically or emotionally.”
On the other hand,
a “scanner” is a device for examining and taking records of something.
We may even find this word’s definition
within the healthcare topic of the same dictionary
helpful:
“a machine used by doctors
to produce a picture of the inside of a person’s body
on a computer screen.”
Now,
in the cybersecurity context,
a vulnerability can be seen as a weakness
within an IT system.
A vulnerability usually results from design or configuration problems and,
if exploited by attackers,
can allow them unauthorized and privileged access to the system
and compromise its operations or assets.
A vulnerability scanner is then
a device or computer program or testing tool
that automatically identifies and reports such weaknesses
present in systems
(e.g., web and mobile apps, networks, infrastructures, and IoT devices).
What is vulnerability scanning?
Vulnerability scanning is precisely the procedure mentioned
in the previous paragraph.
This is just another form of vulnerability assessment that,
thanks to automation,
allows companies to quickly discover many of their weak points.
Typically,
vulnerability scanning focuses on identifying,
describing and reporting previously known vulnerabilities
that are registered in the scanners’ databases.
These machines usually review the components and configurations
of their predefined targets of evaluation
and compare or match them with the information they have
in their databases
to identify security issues.
Vulnerabilities detected by a scanner can be,
for instance,
outdated software versions,
misconfigurations and non-compliance with security requirements.
Sometimes these automated tools also work
based on specific predefined attack patterns
that they send to the target
to compare its response outputs
with those that are supposed to occur
in the presence of known vulnerabilities.
How are vulnerability scanners and scanning classified?
The classifications usually found for these terms
tend to be not very clear or convincing.
Not seeing rigorous categories,
we decided to present
types of scanners according to targets they evaluate
and types of scanning according to modes of operation:
Types of vulnerability scanners
-
Network vulnerability scanners:
These tools are responsible for assessing an organization’s entire network.
They identify open ports,
services running on those ports
and the operating system on the network devices.
Following their databases of known vulnerabilities,
these scanners detect security issues in devices such as routers,
switches, firewalls and servers.
Beyond these network-based vulnerability scanners,
we can mention host-based vulnerability scanners
that focus specifically on individual network hosts,
such as servers or workstations,
to identify vulnerabilities in their operating systems,
applications and services. -
Web application vulnerability scanners:
These tools analyze websites and web apps
to detect security issues,
specifically in their code and configurations.
They can use both the databases of known vulnerabilities
and the common attack patterns mentioned above
to identify problems or risks
such as those we can see in the OWASP Top 10
(e.g., Broken access control, Cryptographic failures, and Injection).
We can include here scanners
such as static application security testing (SAST)
and dynamic application security testing (DAST) tools. -
Open-source components vulnerability scanners:
These tools focus on identifying and analyzing
all third-party open-source software components
and their dependencies
for vulnerabilities
(i.e., software composition analysis, SCA).
The use of outdated components with known vulnerabilities
is also listed in the OWASP Top 10 and,
as we saw in the State of Attacks, 2022,
was the security issue that contributed most
to the risk exposure of the companies
we evaluated from Fluid Attacks in one year.
Types of vulnerability scanning
-
Comprehensive and targeted vulnerability scanning:
Related to what we noted about network-based and host-based scanners,
vulnerability scanning can vary in terms of thoroughness.
Comprehensive vulnerability scanning
focuses on evaluating all the systems
that constitute a network.
It can detect more vulnerabilities
than targeted vulnerability scanning,
which concentrates on specific systems,
but requires more analysis time. -
External and internal vulnerability scanning:
External vulnerability scanning is performed from outside
the perimeter of an organization’s network.
These assessments serve to detect vulnerabilities
that attackers could exploit from outside the network
to be able to move “vertically” or inside it.
The tools deal there with security devices that block traffic.
These scans identify open ports and services and vulnerabilities
in internet-facing devices
such as web and mail servers and firewalls.
External scanning is essential
for the now so commonly used infrastructure in the cloud,
where scanners must analyze all assets
hosted there by an organization.Internal vulnerability scanning is carried out from inside
the perimeter of an organization’s network.
These assessments are used to detect vulnerabilities
that could be exploited by attackers
who have gained access to the network
to move “laterally” to various systems within it.
These scans identify vulnerabilities in internal servers,
workstations and other devices
that are not visible from the internet.
Standards such as the PCI DSS usually require companies
to conduct internal and external scans regularly
and when the network is modified by upgrades
or installation of components,
for example. -
Unauthenticated and authenticated vulnerability scanning:
We can also refer to them
as non-credentialed and credentialed vulnerability scanning.
Unauthenticated vulnerability scanning
does not require the use of login credentials.
These scans are limited to identifying vulnerabilities
that are visible from the outside.
What is done in these scans is to detect open services and ports.
Later, the scanner sends packets to them
to extract available information
such as software or operating system versions and,
using its database,
reports known vulnerabilities that may be present.Authenticated vulnerability scanning
requires the use of login credentials.
These assessments are more accurate and comprehensive
than the previous ones.
They manage to collect more detailed or low-level data
from the operating system and specific applications and services,
as well as configuration details of the evaluated systems.
Here the scanners detect vulnerabilities
that are only visible after logging in to the system.
Pros and cons of vulnerability scanners and scanning
Today there are bunches of automated tools for vulnerability scanning,
both open-source and commercial.
It is customary for organizations interested in their cybersecurity
to use several of them simultaneously
to achieve “full coverage” with their different features.
Although vulnerability scanners guarantee evaluation speed
and allow people to save time and effort,
their assessment scope is restricted.
This scope depends on the databases
that scanners use as a reference.
These databases are composed of public lists
such as the CVE (Common Vulnerabilities and Exposures)
and the vendors’ own lists
(generated, maintained and updated by their research groups).
Anything outside these lists is not detected by the scanners
and therefore remains a false negative
(i.e., the scanner reports the non-presence of a vulnerability
where it actually does exist).
Moreover,
it is true that vulnerability scanners can provide detailed information
on their findings,
such as location, severity or risk exposure,
identification date, status,
and even recommendations for remediation
or mitigation of vulnerabilities.
However,
many of these reports refer to false positives
(i.e., scanners report the presence of vulnerabilities
where in fact there are none).
Something that can also be problematic
is relying on the assigned values of severity or risk,
which usually depend on metrics such as the CVSS
(Common Vulnerability Scoring System).
This is because risk levels may also depend on the relationship
established by particular vulnerabilities
in specific attack patterns.
Still,
scanners evaluate them more in isolation
(the machines focus on “surface vulnerabilities,”
those independent of others).
Moreover,
scanners generally are unable to identify those vulnerabilities
that arise as a result of combinations.
Given the aforementioned difficulties,
another type of vulnerability assessment is necessary:
penetration testing.
Full coverage is not achieved with automated tools alone,
even if many are implemented.
The identification of complex
—sometimes of higher severity—
and previously unknown vulnerabilities
depends on human astuteness and expertise,
on pentesters.
They can correlate vulnerabilities and detect new ones
that emerge in certain attack patterns.
Pentesters simulate “real-world” attacks
and even exploit vulnerabilities to assess impacts.
Likewise,
they interpret and validate scan results
to both reduce false positive rates
and deliver reports that,
with more appropriate scores,
actually allow prioritizing the risk exposure of the company under evaluation
in order to move on to remediation actions.
Ultimately,
we could say that
vulnerability scanning can be considered a first step before,
or initial support for,
penetration testing.
Vulnerability scanning with Fluid Attacks
At Fluid Attacks,
we have an open-source vulnerability scanner
that we have been developing
and that we continuously update and improve
with the help of our red team.
This tool is capable of applying both SAST,
DAST
and SCA.
In 2021,
it achieved a perfect result in the OWASP Benchmark
version 1.2 with SAST.
(In fact,
it appears in the OWASP Source Code Analysis Tools list.)
In addition,
in 2022,
it was approved for cloud application security testing
by the App Defense Alliance,
which seeks to ensure that applications on Google Play
do not contain security vulnerabilities.
In our Machine Plan
(which you can try right now for free for 21 days),
you can integrate our scanner into your software development lifecycle
to do continuous vulnerability scanning.
(Continuity in security testing is even recommended
by the Center for Internet Security,
CIS.)
In our Squad Plan,
you have our vulnerability scanning
along with manual penetration testing
by our highly certified ethical hackers or pentesters.
For both plans of our Continuous Hacking service,
we know that it is not of much interest
to stay in detecting security issues
that criminals can exploit in cyberattacks.
This is why Machine and Squad offer you our Vulnerability Management solution
supported by our distinctive dashboard:
the Attack Resistance Management platform.
In it,
our customers receive detailed reports of their vulnerabilities,
assign remediation procedures,
request reattacks to verify their solutions,
resolve doubts with our experts,
keep track of their progress in cybersecurity,
and much more.
Do not hesitate to contact us
if you want to be part of our customers!
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/vulnerability-scan/
