We’ve gotten pretty good at scanning. We self-scan our groceries and home improvement store purchases, and if we are traveling in an unfamiliar area, we probably scan for human threats.
We are also constantly scanned. Our faces, license plates, temperatures, tickets on our cell phones, and other devices are constantly being scanned. Scanning is everywhere.
In the world of cybersecurity, it’s everywhere too.
This article discusses the various types of scans used in the cybersecurity realm by the good guys and potential attackers.
As a managed security service provider (MSSP), CyberMaxx sees the good and bad sides of these scans every day.
Four Major Scan Types:
- Reconnaissance Scans
- Vulnerability Scans
- Wireless Scans
- Application Scans
Reconnaissance scans are primary scans performed over a network (or via the Internet) to determine the number and types of systems within a given range of addresses. On the practical side of the equation, the tools that perform these scans can leverage the information gained to create and maintain inventories of IT assets within an organization. These scans support IT Asset Management, a critical component in an effective cybersecurity program.
More advanced tools can also gather configuration information to identify operating system versions, patch levels, and other details that help determine whether assets are configured as expected. This begins to bleed over into Vulnerability Scans, which we will discuss in the next section.
On the negative side, attackers also use reconnaissance scanning using stealthy methods to avoid detection. The scans can reveal essential details on insecure networks, helping the attackers develop a target list of addresses with open ports and services indicating potentially vulnerable systems.
Its critical organizations have monitoring and blocking tools to limit reconnaissance type scans to authorized sources. Correctly configured firewalls and intrusion detection and prevention services (IDS/IPS) are very effective. It’s also important to remove or disable any unused or unnecessary ports and services from your organization’s computer systems.
As the name implies, these types of scans identify vulnerabilities. These vulnerabilities could be a flaw or weakness in the state of an IT asset (in this case, a piece of networking infrastructure, an endpoint, or an application, etc.) that enhances the likelihood that a threat event will occur or the impact a threat will have if it does happen. In plain English, if left as is, it might lead to a bad outcome like a data breach or malware.
Identifying vulnerabilities — and fixing them – is one of the best ways to keep your organization from falling victim to the bad guys. This is the essence of a Vulnerability Management Program, and it is made possible by performing regular vulnerability scans.
There are several varieties of vulnerability scans. Like reconnaissance scans, they are also performed against a range of network addresses. These scans can be performed “behind the firewall” on your trusted network segments or from outside the organization elsewhere on the Internet, simulating what an attacker might find. These two methods are respectively known as Internal and External Vulnerability scans. Both types of scans can provide valuable information. You can be sure that potential attackers are attempting these scans, and this is backed up by what CyberMaxx witnesses in providing IDS/IPS services. Given this, organizations must stay a step ahead with a good vulnerability management program.
It is essential to consider whether your scans will be performed “blind” or executed as an authenticated user on the network for internal scans. There are benefits to both approaches, but an authenticated scan will allow you to gather a significant amount of additional data about your organization’s security posture. When feasible, we recommend organizations perform authenticated scans on the internal network.
It is easy to overlook wireless access points when we get caught up in protecting the network from intruders. Our minds generally go right to the Internet connection, and we concentrate on building our defenses around the traditional “perimeter” with firewalls and related products.
And while it is true that you must be near to exploit a vulnerable or insecure wireless connection, having weak wireless access points can spell real trouble to hospitals and other organizations that have lots of visitors in and around their campus.
Going back to the earlier point on the importance of asset management, you must know the type and location of all wireless access points that could potentially provide a way for unauthorized individuals to intrude on your network.
Periodically, a wireless assessment should be done to identify all these access points’ location and signal propagation. The scans should be done in the building and from parking areas, nearby roads, and neighboring offices of other businesses, if possible, to ensure any broadcasting access points are using appropriate access controls and are up to date with their operating systems and firmware.
Applications are the gateways to our critical data, whether it is Protected Health Information (PHI/ePHI), financial data such as credit card data that is governed by the PCI Data Security Standards (PCI DSS), or simply confidential business data or employee records. As such, applications must be designed with security in mind. Unfortunately, this is often not the case.
Application scans require special tools and experienced personnel who understand the technical aspects of databases, software development, and access control mechanisms. A complicating factor is that applications come in many different flavors. Legacy applications often run on-premise using older development platforms that may not be fully supported or contain known vulnerabilities that are difficult to patch. Newer cloud-based applications are usually delivered in a software as a service model (SaaS) by a third party that may not allow an organization to perform its scans. Throw mobile applications that run on phones and tablets in the mix, and you can quickly see the complexities involved.
It is imperative to track where these applications are vulnerable and patch critical vulnerabilities as quickly as possible despite the challenges.
The go-to resource for vulnerability information for web-based applications is the Open Web Application Security Project (OWASP). OWASP is an online non-profit community that publishes and maintains a current list of vulnerabilities that address common threats to web-based systems.
In cybersecurity, scanning is everywhere. Many exciting companion technologies like security information and event management (SIEM), SOAR, managed detection and response (MDR), XDR, etc., continuously monitor networks and hosts for abnormal behavior. Many of these technologies leverage scanning tools and techniques like the ones discussed in this article.
So the next time you are in the self-checkout, remember the importance of doing a bit of scanning back at the office.