Vulnerability scanning

Vulnerability scanning and new methodology

Vulnerability scanner is a default component of any IT security infrastructure.

What does it do?

It is a program that scans your devices in the network, that include computers, switches, routers, and any other compatible devices the program support.

Computers include Linux, windows, and Mac OS too.

Most people in the IT industry heard about NESSUS, the popular Linux-based vulnerability scanner which is widely used by IT people to find vulnerabilities in your systems.

Before we jump into more details, let’s understand the terms Vulnerability and Exploit

Vulnerability is a weakness in your system for which a hacker write an exploit to exploit the vulnerability.

The terminology to express information about vulnerabilities is usually CVE, NVD, CVSS

CVE means common vulnerabilities and exposures, which contain vulnerability details in the form of a number starting with the suffix CVE and its description and references, this is maintained by MITRE corporation and available to the general public.

CVSS means a common vulnerability scoring system, this is a score assigned to the vulnerability which is a risk score of the vulnerability, the categories are None, Low, Medium, High, and Critical with assigned numbers to them, every vulnerability is associated with cvss.

The history of vulnerability scanners starts in 1995 with a tool called SATAN (Security Administrator tool for analyzing networks)

In 1998, the famous SAINT(Security administrator’s integrated network tool) came into use.

In the same year, the NESSUS vulnerability scanner was released.

CVE system introduced by MITRE in the year 1999, provided a common database reference for vulnerabilities.

in the year 2003, Microsoft started releasing patches every Tuesday which is called patch Tuesday, this is usually feared by IT administrators, on that day when windows systems are patched, possibilities of disruption are feared.

In the year 2004, the Payment card industry is mandated to have quarterly vulnerability scans

CVSS is launched in the year 2005

National vulnerability database NVD is launched by NIST.

in earlier days, a vulnerability scanner is like your antivirus software, which contains a set of signatures that are tested against the device to see what kinds of vulnerabilities exist, for example, Nessus calls the signatures plugins, which means each vulnerability is represented by a plugin, the plugin is a metadata of the test required to be done by the vulnerability scanner against the target device to confirm the vulnerability.

In recent years commercial tools like Qualys, Rapid7, and Tenable became very popular.

Please find below which explains how a vulnerability scanner works

Vulnerability scanning

Please note usually vulnerability is done according to an established process in companies, it will not be done as a random task or unauthorized, it is done with agreement and informing all the stakeholders in the organization specifically IT and management, of the reason for this, when you scan for vulnerabilities there is always a possibility you disrupt production systems or break them, to prevent and prepare for these kinds of situations, you need to take everybody on the same page.

Vulnerabilities can be missing updates on the systems, open ports, expired certificates, etc.

Once the scanner finds the vulnerabilities, the IT team is requested to fix the vulnerabilities by applying the necessary updates, closing down open ports, or patching the applications, the other possibility is a specific vulnerability cannot be immediately remediated and thus notified to the management and IT teams as a risk inform the legal team, this needs to handled by buying additional liability insurance or find other methods to mitigate the risk.

One of the major problems with these systems is the number of tickets it generates which can overload the IT teams.

There can be a new methodology adopted to avoid too many tickets by addressing the vulnerabilities for High and critical risk scores.

The technical depth to understand the vulnerability scanning reports is a big problem and time taking.

you can find more details on the internet for different types of scans and their details for example remote unuthenticated scans, remote authenticated scans, agent-based scanning, etc.