Vulnerability scanning is an automated process that involves using various tools to:
- Look at which ports are open on a system;
- Investigate the service running on an open port;
- Determine the service’s version number;
- Compare that service’s version against a database of known vulnerabilities; and
- Generate a report listing out the vulnerabilities discovered.
Vulnerability scanning tools may also perform tests of well-known web application vulnerabilities, such as SQL injection and cross-site scripting (XSS). Automated vulnerability scanning tools do not attempt to exploit any discovered network or application vulnerability, as those activities are manual processes typically performed by a penetration tester.
Vulnerability scans are required for various compliance standards (e.g., the Payment Card Industry Data Security Standard (PCI DSS) or Health Insurance Portability and Accountability Act (HIPAA)). When performing scanning for compliance purposes, there are guidelines about which systems must be included in scanning. These typically include systems that handle sensitive data (e.g., payment card data, protected health information (PHI), personally identifiable information (PII)). Even if an organization doesn’t need to comply with a regulatory standard, there are various external and internal network components that they should include in their vulnerability assessment program.
Any Internet-facing system that an organization deems as “mission critical” should be included in the external vulnerability scan scope. Such systems often include corporate email servers, where compromise could lead to targeted phishing attacks, as well as web application servers that allow users to enter information into form fields, such as a “Contact Us” form, that could allow attackers to leverage common coding vulnerabilities to gain access to databases that contain sensitive data. Organizations should also consider scanning endpoints for remote access technologies (e.g., VPN or Remote Desktop Protocol (RDP) endpoints), as compromising these systems could allow an attacker to have direct access to an organization’s internal network.
Organizations may also want to include several types of internal network components in vulnerability scanning. These can include both systems that provide critical services, like user authentication performed by a domain controller, where compromise can grant an attacker the ability to create authorized network users to maintain a level of persistence on the network, as well as servers that contain sensitive information, such as intellectual property or financial data, that could be of value to an attacker. While user workstations are frequently overlooked during vulnerability scans, organizations may want to rethink this approach as many of the recent ransomware (e.g., WannaCry) attacks make use of exploits that have patches available from software vendors.
Vulnerability scanning provides a wealth of information about an organization’s overall security posture and is a valuable resource in any vulnerability assessment program. Should your organization need assistance in setting up a vulnerability scanning program, the Sikich Cybersecurity practice can help.