What is a Vulnerability Scan?

A vulnerability scan is an automated technology that attempts to identify vulnerabilities in your environment. A scan involves using a tool, such as Nessus or Qualys to run through a long list of checks to determine if you’re affected by the vulnerabilities in their respective databases. This is also one of the first steps to a penetration test. The tool will probe the services running on all internal and external assets and identify the associated risk for each asset. Below, the steps to conducting a vulnerability scan will be detailed along with recommendations on tools and processes.

Steps to conducting a Vulnerability Scan

Before any scanning can begin, an asset inventory is needed for your environment. If an asset inventory tool does not exist, you may need to do a sweep of your network to identify live assets. Once the assets have been identified, the vulnerability scan will begin by simply aiming the scanner at them.

Step 1: Information Gathering
- Identify hosts and restricted hosts (i.e., systems and devices not to be tested)
Step 2: Discovery and Vulnerability Scanning
- Comprehensive port scanning, fingerprinting of services and applications
- Utilization of automated scanning tools & technologies to identify publicly known operating system and application vulnerabilities. (Network-based or Authenticated Scans);
Step 3: Reporting
- Draft an executive summary detailing the overall state of the environment

Choosing a Vulnerability Scanner

There are currently two tools that are the industry favourites. One is Nessus and the second is Qualys. Each of the tools have their own unique features that the other does not. As an organization assessing the two, you would need to look into which features you need.

While comparing the two, we noticed three features that Qualys utilizes that Nessus does not.

Asset tagging allows you to tag your assets by whichever naming schema you prefer. The tagging feature is helpful when there are systems you want group or organize. You can tag the systems as Unix, Windows, or even with sensitivity tags to have a better understanding of how vulnerable your business-critical systems are.
Patch management allows for the deployment of an agent on each system to assist with patching while providing centralized visibility into open and missing patches
Threat protection prioritizes patching by analysing vulnerabilities for specific factors that would increase the risk of the vulnerability within your environment

If one of the three features above is a requirement for your business then you know which tool you prefer out of the two.

Types of Vulnerability Scans

Based on the testing objectives established by the organization, not all vulnerability scans are alike. Some vulnerability scans may be based on achieving PCI compliance or evaluating risk levels across the network. It may be necessary to initiate two different types of vulnerability scans which focus on the internal and external architecture accompanied by an authenticated or unauthenticated scan. Let’s focus on differentiating between the types below.

External Vulnerability Scan

This scan focuses on the scope that pertains to all assets that are exposed outside the organizations internal network. The purpose of this scan is to identify vulnerabilities in perimeters defenses which may include externally exposed services, ports, application, and servers. This is important so that an organization can be given visibility into what a potential attacker is first exposed to when considering attack vectors that may me vulnerable to help gain access into the internal network.

Internal Vulnerability Scan

A scan that is initiated from inside the organization perimeter defenses, is considered an internal scan. The purpose of this scan is to detect vulnerabilities that could be exploitable from internal malicious actors such as an attacker that has bypassed external defenses or even a disgruntled employee/contactor and may be attempting to gain persistence, laterally move around the network, or attempt privilege escalation to retrieve sensitive information or take control of managing services or machines.

Unauthenticated vs. Authenticated Vulnerability Scan

To help gain a more detailed insight into an organization’s full architecture, it can be very resourceful to understand the difference between unauthenticated and authenticated scans. Each of the external and internal scans is either conducted in an unauthenticated and authenticated manner.

Unauthenticated scans search for weaknesses across the network from the perspective of an actor that does not contain valid credentials allowing them to log into or use the service, application, or protocol. Any vulnerabilities discovered will be solely based on an actor that was not given privileged access to the resource in question. In many cases, the existence of these types of vulnerabilities is the most dangerous as they can be accessed and exploited by technically anyone. Common concerns include exploits based on unpatched service versions, weak passwords, and misconfigured applications and databases.

The authenticated scans provide vulnerability scanners with various privileged credentials, allowing them to conduct a more thorough probe of the network. In these situations, the scan is assumed to have some form of access to the services, applications, and assets being utilized by the organization.

Common configuration issues or lack of network hardening may lead to privilege escalation or the success of exercising exploits based on vulnerabilities that require some form of authenticated use of an application. Typically, this type of test has assumed than an attacker somehow obtained credentials (e.g., phishing, brute force, malicious employee) and is now trying to identify what they have access to within the organizational network.

Cost of a Vulnerability Scan

The cost of the scan can vary depending on the tool chosen. Nessus presents their price on their website, while Qualys requests more detailed information from you. You can quote each of them and determine whether deploying it within your environment is feasible or reach out to a third-party security company to identify their service costing.

While a single scan can be easy to conduct, you’ll still need the expertise to create a reoccurring process, understand the results, manage the risks, and remediate. At Packetlabs we specialize in prioritizing risks and vulnerabilities by assessing them through the lens of an attacker. If a specific vulnerability would be our first target, we would recommend that it is mitigated first.