Understanding Vulnerability Scanning

The vulnerability scan or “vuln scan.”, is performed with both good and evil intent, and are a part of the four types of cybersecurity scans.

What is a vulnerability, and how do we scan for them?

Vulnerability – “A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety).” Source – National Institute of Standards (NIST) / CVE.org

Vulnerability scans by themselves are an ineffective tool for preventing or, for that matter, executing successful attacks. It comes down to how you utilize the information gathered from these vuln scans and the completeness and accuracy of that information.

• As defenders, companies will scan their systems (or use a trusted 3rd party) to identify opportunities to plug holes that might lead to a successful attack.
• As attackers, identifying vulnerabilities can be one of the early steps in profiling a target for subsequent episodes.

Vuln scans are just one part of a vulnerability management program when thinking in a defensive mindset.

Vulnerability Management Program

As an organization grows and becomes more complex, a right-sized vulnerability management program must also scale to address risk. Keeping in mind that vulnerability scans are just one component of an overall program, the typical program will involve the following activities.

1. Planning the program’s scope – what assets will be assessed and how often
2. Documenting the plan – creating a formal set of policies and procedures
3. Identifying the internal and external stakeholders
4. Providing training to the team
5. Conducting the vulnerability assessments (e.g., running scans, performing audits, etc.) Documenting, categorizing, and prioritizing vulnerabilities
6. Remediation of vulnerabilities
7. Evaluating the effectiveness of remediation (e.g., re-scanning, etc.)
8. Root cause analysis

If you are interested in digging deeper into how to structure a vulnerability management program, Carnegie Mellon has produced a supplemental resource guide in coordination with the Department of Homeland Security.

The National Vulnerability Database (NVD)

The NVD is a NIST Computer Security Division, Information Technology Laboratory product sponsored by the Cybersecurity & Infrastructure Security Agency.

Serving as a government repository of vulnerability data represented using the Security Content Automation Protocol (SCAP), the NVD enables scanning tools that support vulnerability management, security measurement, and compliance. The NVD includes security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

Types of Vulnerability Scans

There are many commercial and open-source tools that can be leveraged to perform vulnerability scans. These tools rely on information provided by sources that categorize vulnerabilities and rely heavily on the NVD and severity ratings provided via the CVSS scoring system.

External Scans

As the description implies, external vulnerability scans are executed against outward-facing systems from outside the organization. These scans are accomplished by scanning a range of public IP addresses assigned/controlled by the organization. Devices within this range might include routers, firewalls, and hosts in the organization’s “demilitarized zone” (DMZ), such as web servers, FTP servers, etc., would be scanned. These external scans provide valuable insight into vulnerabilities that might be exploited by an attacker attempting to do harm via the internet.

Internal Scans

While threats to internet-facing systems are real, organizations that stop scanning once their external scan is complete will be ignoring the weaknesses that more often lead to a compromise. Today’s attackers often bypass a company’s perimeter defenses through social engineering (e.g., phishing, malware insertion via web links or attachments delivered by email, etc.).

Most perimeter defenses are useless once a user is tricked into the attacker’s desired behavior. To be effective, these attacks rely on vulnerabilities resident on systems on the network’s private (trusted) side.

It is imperative that organizations scan their internal network to identify and then remediate any vulnerabilities that allow an attacker to move laterally across the network once they are behind those perimeter defenses.

Internal scans also help reduce the risks associated with insider threats, as plugging vulnerabilities will keep trusted users from escalating their privileges to access systems or data they should not have access to.

Web Application Scans

Applications are the gateways to an organization’s crown jewels. While data can sometimes be accessed directly at the database, poorly written applications or applications that are not kept up-to-date with the latest security patches can provide a path of least resistance to an attacker.

Since so many web-based applications are written or customized for an organization’s specific use cases, they often lack robust security features of commercial off-the-shelf products that were common in the past.

With so many development platforms available, keeping up with vulnerabilities in web architectures is difficult. To assist with this, the Open Web Security Project (OWASP) was established as an online community to categorize and track vulnerabilities. OWASP is known for publishing its top-10 list of web application critical security concerns. The top-10 list is compiled by a team of security experts from countries across the globe.

The OWASP top 10 for 2021 includes:

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery (SSRF)

Web application scanners utilize the OWASP CWE database along with other known vulnerabilities to identify and report on the security posture of one or more web applications.

Performing web application scans is imperative if an organization has custom websites used for critical business processes.

Two Scan Modes

Un-authenticated

This approach provides no credentials to the scanning software. An un-authenticated scan will return results similar to what a random adversary might encounter if they (like most) do not know the credentials required to sign on to a system or device.

Authenticated

These scans provide additional insight into more detailed configuration information, which can be very important when considering insider threats or threats from unauthorized users that might propagate from behind the firewall due to phishing or email payload types of attacks.

A combination of un-authenticated and authenticated scans should be considered for internal and web application scans. This can be a practical approach with web application scans since the scanning tools can be provided credentials with varying degrees of privilege within the application, allowing visibility into issues with permissions and cross-customer/user access to data.

How Often Should Vuln Scans be Done?

The answer will depend on several factors:

1. Organizational Risk Tolerance
2. Regulatory Requirements
3. Change in the Technology Environment

More frequent scans will be needed if an organization is part of critical infrastructure or is in a highly regulated data environment. An example of a regulatory consideration might be whether the company is subject to the Payment Card Industry (PCI) Data Security Standard (DSS). PCI requires quarterly scans by an approved scan vendor.

If an organization is experiencing rapid growth or significant changes in the technology environment with new systems being brought online, then more frequent scans will be necessary to ensure vulnerabilities are identified and rectified as they are introduced.

Summary

To use an American football analogy, vulnerability management is like blocking and tackling: the fundamentals.

Finding and remediating technical vulnerabilities in operating systems, hardware, software, databases, etc., may be the single most effective control when considering common adversarial threats to systems outside of physical threats.

Many organizations find that implementing and managing a robust vulnerability management program is beyond their capabilities due to staffing, expertise, and budget factors.

Leveraging a Managed Security Service Provider like CyberMaxx can often be a cost-effective way to shore up an organization’s security posture for areas like vulnerability management. It is vitally important to be able to respond quickly and effectively to security events before they become full blown incidents. CyberMaxx’s managed detection and response (MDR) capability does just that.