Why You Should Perform Credentialed Vulnerability Scanning

Ideally, you would have more insight into vulnerabilities and potential means of exploitation in your environment than your adversaries (i.e., attackers) would. Performing credentialed scanning allows you to take a deeper look at your systems from a security standpoint than un-credentialed scanning. To give you an analogy, traditional un-credentialed scanning would be like a doctor diagnosing you over the phone. It can be generally useful, but much more information can be gathered in person since tests can be performed that will yield more accurate results and diagnoses. This enhanced understanding is what credentialed scanning brings to the table. While there are many reasons to perform credentialed scans, it’s important to first understand a bit more about credentialed scanning to determine if credentialed scans are right for your organization.

The Basics

Vulnerability scan tools allow the user to insert credentials that the scanner will use to log in during testing. On a Windows system, the credentials (user ID and password) are typically for a domain user with rights to log in to administrative file shares, remote registry services and similar Windows services. On a Linux system, the credentials (user ID and password or SSH key) are typically for a user with rights to query operating system files and details.

The Benefits

Credentialed scanning provides more accurate scanning to better identify weak configurations, missing patches and similar vulnerabilities, which in turn further strengthens the security program (or at least provides insight on where improvements are needed). As an example, a test of an un-credentialed Nessus scan of a partially patched Windows 7 virtual workstation resulted in 20 vulnerabilities being identified and the operating system being misidentified as Windows XP. Conversely, a credentialed scan of the same system identified over 215 vulnerabilities. Similarly, an un-credentialed scan of an out-of-date Ubuntu 16.04 LTS machine resulted in a few informational items, but no vulnerabilities, being identified. The results of a credentialed scan of the same machine identified 19 vulnerabilities. The difference in scan results almost speaks for itself. Not only does credentialed scanning identify more vulnerabilities, but the accuracy also surpasses that of traditional un-credentialed scanning and false positives become less frequent, meaning you spend less time chasing down issues that might not even be relevant.

The Risks

It is common for administrators to be hesitant about permitting credentialed scanning. They often worry that giving the scanner credentialed access will be more intrusive and cause outages. However, these concerns are unfounded. Credentialed scans use standard protocols and well-formed requests to make authorized queries against systems, similar to an administrator logging in and performing commands. Fragile hosts are not being hit with random traffic; scanning is more tailored to hosts. With a SYN scan for TCP and a UDP probe, a scanner would send a minimum of 131,070 packets. That doesn’t count repeat packets for accuracy or RST packets. You can see how this number can easily surpass 200,000 packets with un-credentialed scanning. For credentialed scans, it is typical to see under 1,000 packets. Less traffic and more accurate scanning leads to less stress on the network and systems, which in turn reduces any chances of scanning to disrupt the network. Everyone likes to hear the lessened potential for availability problems.

Using Credentialed Scanning for Baseline or Policy Compliance

Scanning can also assist with system hardening. With credentialed scanning, baseline and customized auditing can be accomplished. Many vulnerability scanners have baseline audit templates to scan systems against to see if the hosts are up to par with current standards. Center for Internet Security (CIS) is a well-known industry standard, and audit scans can be performed to see if a system meets the basics of the standard. These audit templates are available for different operating systems (server and networking equipment). Also, audit scripts can be customized to an environment, so scans can be performed to make sure a system is up to par with internal standards as well. Especially for those not well versed with industry standards, auditing the systems gives great insight into which configurations meet standards and which might need improvement. While many organizations rely upon manual and automated configuration management to maintain compliance against their build standards, scanning hosts against baselines is another sanity check and could provide further information to strengthen your organization’s configuration standards.

Getting Started

It is up to your organization to determine if credentialed scanning is appropriate for your environment and, if so, how best to implement it. For large organizations, a credentialed rollout will lengthen remediation time, since it’s likely the scan will identify more vulnerabilities than an un-credentialed scan. This is something to be aware of and to plan for initially, especially if the company is required to adhere to certain regulations. While credentialed scans are not yet required by the Payment Card Industry Data Security Standard (PCI DSS) (take note of that “yet”), they can assist with requirements around patching and system hardening, and are a best practice in terms of security. Credentialed scanning is already baked into the vast majority of vulnerability scanners out there, so take advantage of it!

Need assistance or have any questions? Please contact us at any time!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author