What is vulnerability scanning?
A vulnerability scan assesses of possible security vulnerabilities in computers, internal and external networks, and communications equipment that cyber criminals can exploit.
It is an automated activity that scans infrastructure targets such as IP addresses for known vulnerabilities and misconfigurations.
The resulting vulnerability assessment report will help you promptly identify security weaknesses that need to be resolved.
What is vulnerability scanning used for?
Vulnerability testing is an essential part of mitigating your organisation's security risks. By using a vulnerability scanner to identify the points of weakness in your systems, you can reduce the attack surface that criminals might exploit, focusing your security efforts on the areas that are most likely to be targeted.
Vulnerability scans can also help to routinely audit IP address ranges to see if unauthorised services are being exposed or whether redundant IP addresses are being used.
How does vulnerability testing work?
There are two main types of vulnerability scan:
- Unauthenticated scans will find weaknesses in your security perimeter.
- Authenticated scans use privileged credentials to go further, finding security weaknesses in your internal networks.
Whichever type you choose, vulnerability scanning tools will use reference databases of known flaws, coding bugs, anomalies, configuration errors and potential routes into corporate networks that attackers can exploit. These databases are updated continually.
Why are vulnerability scans important?
Vulnerabilities are widespread across organisations of all sizes. New ones are discovered constantly or can be introduced as a result of system changes.
Criminal hackers use automated tools to identify and exploit known vulnerabilities, and access unsecured systems, networks or data.
Exploiting vulnerabilities with automated tools is simple: attacks are cheap, easy to run and indiscriminate, so every Internet-facing organisation is at risk.
All it takes is one vulnerability for an attacker to access your network.
This is why applying patches to fix these security vulnerabilities is essential: if you don’t update your software, firmware and operating systems to the latest versions as they are released, the vulnerabilities in your systems will remain exploitable, leaving your organisation exposed.
Worse than this, the vast majority of intrusions are not discovered until it is far too late. According to FireEye Mandiant's M-Trends 2020 report, the global median dwell time between the start of a cyber intrusion and its identification is 56 days.
What does a vulnerability scan test?
Automated vulnerability scanning tools scan for open ports and detect common services running on those ports.
They identify any configuration issues or other vulnerabilities on those services and look at whether best practice is being followed, such as the use of TLSv1.2 or higher and strong cyphers.
A vulnerability scanning report is then generated to highlight the items that have been identified.
By acting on these findings, an organisation can improve its security posture.
Who conducts vulnerability scans?
IT departments usually undertake vulnerability scanning if they have the expertise and software to do so, or they can call on a third-party security service provider like IT Governance.
IT Governance’s scans are conducted on targets that the client has the necessary permissions to have scanned, and users of the service are required to confirm that they have those permissions.
Vulnerability scans are also performed by attackers who scour the Internet to find points of entry into systems and networks.
How often should you conduct a vulnerability scan?
Vulnerability scans need to be conducted regularly to ensure that new vulnerabilities are identified as soon as they become common knowledge and that the appropriate remedial actions are taken, such as applying the necessary patches to fix software vulnerabilities.
Frequent security scanning can show where exposed services are unpatched and vulnerable to exploitation, allowing IT to take swift remedial action.
You should have a vulnerability management programme. This should include scanning (at least monthly) and annual penetration testing, as well as when you make changes to your systems.
This will help identify your security weaknesses and the extent to which you are open to attack.
What’s the difference between vulnerability scanning and penetration testing?
Vulnerability scanning is an automated process that identifies your cyber security weaknesses.
Penetration testing goes one step further. It involves professional ethical hackers combining the results of automated scans with their expertise to reveal vulnerabilities that may not be identified by scans alone.
Pen testers will also take your environment into account (a significant factor in determining vulnerabilities’ true severity), upgrading or downgrading the score as appropriate.
They can also identify false positives – where scans have identified weaknesses that do not exist – to ensure you do not waste resources securing parts of your infrastructure that are safe from attack.
By mimicking the techniques used by criminals and other threat actors, they can determine the actual extent to which your organisation is vulnerable.
Vulnerability scanning and remote working
Identifying and mitigating security vulnerabilities is especially important when staff work from home.
For instance, when you connect to the Internet via a home network, security features that you usually take for granted in the office, such as filtering, firewalls and encryption, might not be available.
And when staff use their own equipment (known as BYOD or ‘bring your own device’) to connect to the corporate network, you will have less control over the configuration of their security settings.
Keeping your VPN (virtual private network) software up to date is also essential to ensure staff have secure remote access to corporate systems.
Can a vulnerability scan help identify vulnerabilities on my website?
Vulnerability scans can be used to find software known to be vulnerable and infrastructure that has been incorrectly configured. For instance, it could reveal that the version of Apache Web Server running requires updating or that communication ports have been left exposed that don't need to be. A vulnerability scan cannot detect errors in the logic of the website, such as text fields that accept malicious data.
To comprehensively assess a website's security, a skilled ethical hacker who is experienced in web application testing should conduct a penetration test. These tests should be performed regularly and after changes to the applications have taken place.
A vulnerability scan will detect if a web server and vulnerable applications have been exposed to the Internet but may not identify other flaws such as URL manipulation that expose the application’s data or users.
Is a vulnerability scan suitable for industrial control systems?
No, vulnerability scans are not suitable for complex production environments with external access to industrial control systems or telecommunications equipment. This is because of the specialised nature of such production environments and the need for the correct tools and appropriately skilled ethical hackers. This type of environment will require a manually controlled penetration test.
IT Governance’s Vulnerability Scanning service
With a monthly subscription to our Vulnerability Scan service, you can:
- Scan for thousands of vulnerabilities, helping you see exactly what criminal hackers can see;
- Receive a detailed report that gives you a breakdown of all your weak spots;
- Act quickly to fix your security weaknesses before criminal hackers find and exploit them; and
- Run and rerun scans as often as you like within a month.
Find out more about how our Vulnerability Scan service can help secure your organisation