adam's notes

Types of Vulnerability Scans

Unauthenticated Scans

unauthenticated scan is one that proceeds by directing test packets at a host without being logged on to the OS or application.

  • aka non-credentialed scan
  • A basic vulnerability scan of a host
    • typically an external and unauthenticated
  • doesn’t require any credentials for the host you’re scanning or any access other than network connectivity to the host in question
    • allows you to conduct the scan against almost any device
  • uses unprivileged user
  • shows:
    • what ports are open on the host
    • reveal the banner information for the services listening on those ports
    • guess at the applications and operating systems in use

Authenticated Scans

An authenticated scan is one that is conducted using a valid set of credentials, generally administrative, for the system being scanned

  • aka credentialed scan
  • Having credentials to log into a host enables collection of internal information:
    • what software is installed
    • contents of configuration files
    • permissions on files and directories
    • user accounts
    • vulnerability patches that system needs
    • etc
  • more thorough view of the device and its potential vulnerabilities
  • require you to keep your authentication credentials current on the vuln scanning tool and host
  • Some of the checks will also require administrative access to the device

Agented Scans

 Agent-based scans require the installation of small, special-purpose software utilities designed to collect information from the endpoint and pass it to the vulnerability scanner.

  • can provide a means to get around some of the downsides of authenticated scans
  • advantages:
    • improved vulnerability and host configuration data
    • less processing overhead on the vulnerability scanner server
    • and simplified communication across network firewalls
    • provide direct access to system resources, allowing more detailed and accurate information
    • able to provide continuous and real-time monitoring due to its host presence
  • require the deployment and installation of the agent software
  • operates primarily independent of network activity
  • still communicates with a central server, generating network traffic
  • can lead to performance issues on the host due to resource consumption
  • agents add a new attack vector and additional software to track and patch

An agent is a small piece of software installed on each host.

  • runs as though it were a user on the system
    • so it’s authenticated
    • but it doesn’t require you to maintain a separate set of credentials
  • hosts configured with agents typically report to the management devices on their own
    • removing some of the need to search for the devices individually on your networks
  • some devices, such as network appliances, may not be able to run an agent

Agentless Scanning

  • simplest to implement
    • scans endpoints using protocols like ssh, WMI, or SNMP
    • are risks associated with WMI and SNMP, tho
      • some orgs may not allow them
  • depend on network connectivity during scans
  • may miss data due to network restrictions or firewalls
  • require initiating a scan each time
    • can’t provide real-time monitoring and threat detection and response

External/Internal Scans

  • External scans
    • focuses on the view of systems from outside of the network, from the Internet
    • vulnerabilities from this view are critical
      • accessible from the Internet
      • treated with a “patch first, test second” approach
        • concern of exploitation supersedes concern of bugs
  • Internal scans
    • focus on the view of systems from within the private network
    • important to protect systems from abuse from internal threats and to provide layered security
    • should include detailed, comprehensive vulnerability information

Active/Passive Scanning

Active scanning is directly interacting with a device or software to identify vulnerabilities.

  • e.g.,
    • using a vulnerability scanner
    • enumerating services
    • performing banner grabbing
    • content enumeration
    • using a web app scanner

Passive scanning describes methods used to identify vulnerabilities without direct interaction with a device or software.

  • e.g., network packet capture/analyzing network traffic
    • by inspecting traffic to and from a device, can identify issues like:
      • insecure protocols
      • cleartext credentials
      • inadequate encryption methods
      • DNS query data
      • etc.

Application Scanning

Application vulnerability scanning describes a specialized vulnerability scanning method for identifying software application weaknesses

  • uses tool designed to identify issues with application code and platform configuration, including web servers and web applications
  • evaluates the coding and behavior of individual software applications
    • static analysis
      • process of reviewing uncompiled source code either manually or using automated tools.
    • dynamic analysis
      • Software testing that examines code behavior during runtime
      • aka testing running applications
  • typically handled separately from general vulnerability scanning
    • due to:
      • unique nature of software applications
      • the specific types of vulnerabilities they introduce
  • require specialized tools and techniques
    • E.g. scanning web applications
      • can search considerably more deeply in the application for issues than a scanner intended strictly for hosts
      • Burp Suite

Package Monitoring

Package monitoring is the techniques and tools designed to mitigate risks from application vulnerabilities in third-party code, such as libraries and dependencies.

  • tracks and assesses the security of third-party software packages, libraries, and dependencies
    • ensures they are up to date and free from known vulnerabilities
  • associated with
    • the management of software bill of materials (SBOM)
    • software supply chain risk management practices
  • typically achieved through automated tools and governance policies

Software composition analysis (SCA) tools are designed to assist with identification of third-party and open-source code during software development and deployment.

  • track and monitor the software packages, libraries, and dependencies used in an organization’s codebase
  • can automatically
    • identify outdated packages or packages with known vulnerabilities
    • and suggest updates or replacements
  • work by continuously comparing the organization’s software inventory against various databases of known vulnerabilities
    • e.g., the National Vulnerability Database (NVD) or vendor-specific advisories

Graph View

Backlinks