adam's notes

Vulnerability Scanner

A vulnerability scanner is a hardware or software configured with a list of known weaknesses and exploits and can scan for their presence in a host OS or particular application.

  • attempts to find and report network services on hosts that have known vulnerabilities
  • often have the same functionality found in port scanners
    • scan the system to discover open ports, then interrogating each port to find out which service is listening on it
  • can be implemented purely as software or as a security appliance
  • root, Domain Admin, and Admin accounts should not be scanned

Types

Infrastructure Vulnerability Scanner

An infrastructure vulnerability scanner is a type of software that scans network hosts (client and servers) and intermediate systems (routers, switches, access points, and firewalls) for vulnerabilities.

  • scans for data such as:
    • patch level
    • security configuration and policies
    • network shares
    • unused accounts
    • weak passwords
    • rogue devices
    • antivirus configuration
    • etc.

Web Application Scanner

Web application scanners are specialized tools designed to identify application vulnerabilities that generalized vulnerability scanning tools often miss.

  • searches for and identifies security vulnerabilities within web applications
  • utilizes:
    • static and dynamic code analysis
    • fuzzing
    • and reverse engineering techniques
  • can detect configuration issues and exploitable security misconfigurations
  • Debuggers allow analysts to:
    • identify weaknesses
    • reveal details regarding how a piece of software operates
  • Tools

Cloud Infrastructure Scanner

Cloud infrastructure scanners allow analysts to scan and analyze applications hosted in the cloud and the configuration of the platform they run on.

  • aka cloud platform assessment tools
  • vulnerability assessment tools generally assume that assets and infrastructure operate on a local (or on-premises) network
  • Managing vulnerabilities in a hosted public cloud is more complex
    • due to the dependence on the service provider
  • Identifying the division of responsibilities for threat and vulnerability management between the cloud service provider and the customer is crucial
  • increasing in popularity with rise of cloud
  • can:
    • detect vulnerabilities in applications and instances
    • identify platform misconfigurations
  • provide detailed findings reports
    • include recommendations for vulnerability remediation
  • review CSP’s AUP before scanning hosts and services
    • need permission to scan
  • tools

How it Works

  • examines an organization’s on-premises systems, applications, and devices and compares the scan results to configuration templates and lists of known vulnerabilities
  • depend upon a database of known software and configuration vulnerabilities
  • compiles a report about each vulnerability in its database that was found
  • identified vulnerability is categorized and assigned an impact warning
    • Most tools also suggest remediation options

Scope

The scope of a scan refers to the range of hosts or subnets included within a single scan job.

  • for large network, sensible to schedule scans of different portions of network at different times
    • reduces impact
    • easier to analyze results
  • limited scope scans can be used to identify particular issues or meet particular compliance goals
  • asset criticality can affect scanning scope
    • targeted scans of critical assets scanned more often

Types of Vulnerability Scans

Tools

Graph View

Backlinks