Once vulnerabilities have been identified through scanning and assessed, an organization can pursue a remediation path, such as patching vulnerabilities, closing risky ports, fixing misconfigurations, and even changing default passwords, such as on internet of things (IoT) and other devices.
Vulnerability scanning is a vital part of your security team’s overall IT risk management approach for several reasons
Vulnerability scanning lets you take a proactive approach to close any gaps and maintain strong security for your systems, data, employees, and customers. Data breaches are often the result of unpatched vulnerabilities, so identifying and eliminating these security gaps, removes that attack vector.
Cybersecurity compliance and regulations demand secure systems. For instance, NIST, PCI DSS, and HIPAA all emphasize vulnerability scanning to protect sensitive data.
Cyber criminals also have access to vulnerability scanning tools, so it is vital to carry out scans and take restorative actions before hackers can exploit any security vulnerabilities.
Some of vulnerability scanning tools are comprehensive in their coverage, able to perform multiple types of scans across heterogeneous environments that include on-prem, Unix, Linux, Windows, cloud, off-site, and onsite. Other scanning tools serve particular niches, so it’s always critical to thoroughly explore your use cases before investing in a scanner.
Let’s now explore some different types of vulnerability scans, which each have their place, depending on your use cases.
Credentialed and non-Credentialed scans (also respectively referred to as authenticated and non-authenticated scans) are the two main categories of vulnerability scanning.
Non-credentialed scans, as the name suggests, do not require credentials and do not get trusted access to the systems they are scanning. While they provide an outsider’s eye view of an environment, they tend to miss most vulnerabilities within a target environment. So, while they can provide some valuable insights to a potential attacker as well as to a security professional trying to gauge risk from the outside, non-credentialed scans give a very incomplete picture of vulnerability exposure.
On the other hand, credentialed scans require logging in with a given set of credentials. These authenticated scans are conducted with a trusted user’s eye view of the environment. Credentialed scans uncover many vulnerabilities that traditional (non-credentialed) scans might overlook. Because credentialed scans require privileged credentials to gain access for scanning, organizations should look to integrate an automated privileged password management tool with the vulnerability scanning tool, to ensure this process is streamlined and secure (such as by ensuring scan credentials do not grow stale).
Here are some other ways that scans may be categorized, based on use case.
These scans target the areas of your IT ecosystem that are exposed to the internet, or are otherwise not restricted to your internal users or systems. They can include websites, ports, services, networks, systems, and applications that need to be accessed by external users or customers.
These scan and target your internal corporate network. They can identify vulnerabilities that leave you susceptible to damage once a cyberattacker or piece of malware makes it to the inside. These scans allow you to harden and protect applications and systems that are not typically exposed by external scans.
These scans are based on the environment that your technology operates in. Specialized scans are available for multiple different technology deployments, including cloud-based, IoT devices, mobile devices, websites, and more.
Non-intrusive scans simply identify a vulnerability and report on it so you can fix it. Intrusive scans attempt to exploit a vulnerability when it is found. This can highlight the likely risk and impact of a vulnerability, but may also disrupt your operational systems and processes, and cause issues for your employees and customers — so use intrusive scanning with caution.
There are several challenges that arise in conducting vulnerability scanning:
Most scans are “snapshots,” not continuous. Because your systems are changing all the time, you should run scans regularly as your IT ecosystem changes
Although the scanning process itself is easily automated, a security expert may still need to review the results, complete remediation, and follow-up to ensure risks are mitigated. Many organizations also integrate vulnerability scanning with automated patch management and other solutions to help reduce the human administrative burden. Regardless, the scan itself is only an early step in the vulnerability management lifecycle.
Depending on how thorough a scan is desired. Therefore automating management and integration of these credentials with scanner should be considered to maximize both the depth of the scan, and privileged access security.
A vulnerability scanning tool is only as good as its database of known faults and signatures. New vulnerabilities emerge all the time, so your tool will need to be continually updated.
The four following capabilities should top your list of priorities when assessing the suitability of a vulnerability scanning for your enterprise:
Your vulnerability scanner database should be continually updated with the latest identified vulnerabilities
Your scanner should strike the right balance between identifying all vulnerabilities, while minimizing false positives and negatives, and providing high-quality information on flaws, threat priorities, and remediation pathways.
Your scanning tool should provide comprehensive reports that allow you to take practical, corrective actions.
Your vulnerability scanner should fit seamlessly into your vulnerability management program, which should include patch management and other solutions.
Implemented correctly, a vulnerability scanning tool is instrumental to identifying and assessing modern security risk, providing your organization with the insight it needs to take corrective actions, comply with regulatory frameworks, and maintain a strong cybersecurity posture.