Vulnerability scanning is the process of identifying security weaknesses and flaws in systems and software running on them. This is an integral component of a vulnerability management program, which has one overarching goal – to protect the organization from breaches and the exposure of sensitive data. These programs rely on assessment to gauge security readiness and minimize risk, and vulnerability scanning is a critical tool in the cybersecurity toolbox.
There are two big challenges related to traditional vulnerability assessment – knowing what to scan and knowing when to scan:
- Keeping an up-to-date asset inventory is an essential first step and requires its own set of tools and strategies.
- Making sure that your vulnerability scanning tools cover non-traditional assets such as BYOD devices, IoTs, mobile assets, and cloud services is essential.
- In a world where cyber threats can come from any direction and at any time, the ability to configure and perform continuous monitoring and scanning (as opposed to monthly or quarterly vulnerability scans) is key.
A vulnerability scanner is an application that identifies and creates an inventory of all systems connected to a network. For each device that it identifies, it also attempts to identify the operating system that is running and the software installed on it, along with other attributes such as open ports and user accounts.
After building up an inventory, the vulnerability scanner checks each item in the inventory against one or more databases of known vulnerabilities. The result is a list of all the systems found and identified on the network, highlighting any that have known vulnerabilities and need attention.
Vulnerability scanning is very often confused with penetration testing but there are some major differences between the two.
- A vulnerability scan is automated high-level test that looks for potential security vulnerabilities, while a penetration test is an exhaustive examination that includes a live person actually digging into your network’s complexities to exploit the weakness in your systems.
- A vulnerability scan only identifies vulnerabilities, while a penetration tester digs deeper to identify the root cause of the vulnerability that allows access to secure systems or stored sensitive data. The pen tester also looks for business logic vulnerabilities that might be missed by an automatic scanner.
- Vulnerability scans can be instigated manually or on an automated basis, and will complete in as little as several minutes to as long as several hours.
Vulnerability scanning as a part of vulnerability management
Vulnerability scanning is an integral component of vulnerability management. However, using a vulnerability scanner alone is not enough as they don’t go beyond reporting on vulnerabilities that are detected. The vulnerabilities have to be prioritized in order of business criticality and then added to the remediation queue. You need to keep the following in mind:
- Understand how critical a vulnerability is and what would be the impact to the business if exploited
- How easy would it be for a hacker to exploit the vulnerability – does an exploit for it exist and is publicly available
- Are there any existing security controls that could reduce the risk of the vulnerability being exploited.