What Is Vulnerability Scanning?
Vulnerability scanning is the systematic examination of an IT environment to identify security weaknesses that could be exploited by attackers. It involves scanning systems, networks, and applications to uncover vulnerabilities such as missing patches, outdated software, and misconfigurations.
Vulnerability scanning helps organizations stay ahead of potential threats by identifying and addressing vulnerabilities before they cause damage. By conducting regular vulnerability scans, organizations can identify and fix vulnerabilities before they are exploited, reducing the risk of security breaches and data loss.
In addition to identifying vulnerabilities, it’s also important to manage them. Vulnerability scanning helps by analyzing the identified vulnerabilities, assessing their potential impact on the organization, and prioritizing their resolution based on their severity. This way, organizations can ensure they are focusing their resources on mitigating the most critical vulnerabilities.
This is part of a series of articles about vulnerability assessment.
Key Steps in the Vulnerability Scanning Process
Here are the primary stages of a vulnerability scanning process. These steps describe an unauthenticated scan; many vulnerability scanners are able to scan authenticated systems, and this might involve some additional steps, which are beyond our scope.
1. Selecting a Range of IP Addresses to Scan
In most types of vulnerability scans, an IP address range can be used to define the scope of the scan. It's crucial to cover all devices connected to your network, as any unscanned device could have severe vulnerabilities. The IP range or ranges you select depends on the size and complexity of your network. Once the IP address range is defined, the scanning tool can begin probing each device for potential vulnerabilities.
Getting the right IP range is important. You don't want to miss out on any potential vulnerabilities by leaving out certain addresses. On the other hand, if you enter too wide a range, you could end up scanning devices that aren't part of your network, wasting time and resources. Another important aspect is adding an IP denylist. There is sometimes a need to avoid scanning some devices, for example because the scan could disrupt their operations.
2. Discovery Scan
At this stage, the vulnerability scanning tool probes the defined range of IP addresses to identify open ports and services. This starts with host enumeration, which involves identifying the hosts or devices present on the network. Each of these hosts could be running multiple services, each with its own set of vulnerabilities. Once hosts are enumerated, the next step is typically port scanning, or identifying which ports are open on these hosts. This is a critical step because each open port represents a service that could potentially be vulnerable.
3. Capturing Software Versions of Running Services (CPEs)
The next step is to capture the software versions, or Common Platform Enumerations (CPEs), of the running services. Every software version has a unique set of vulnerabilities, and knowing the exact version helps in identifying these vulnerabilities accurately.
CPEs provide a standardized method of naming and describing the software and hardware components on a system. This standardization allows vulnerability databases and scanning tools to communicate effectively, ensuring that all potential vulnerabilities are identified and reported accurately.
4. Comparing CPEs with Vulnerability Databases
After the software versions have been captured, the next step is to compare these CPEs with vulnerability databases. These databases, such as the National Vulnerability Database (NVD), contain a comprehensive list of known vulnerabilities associated with various software versions.
By comparing the CPEs with the vulnerability databases, the scanning tool can identify any known vulnerabilities associated with the running services on your network. This step allows you to identify the exact vulnerabilities present on your network, enabling you to take steps to mitigate them.
5. Classifying Detected CVEs
Once the known vulnerabilities have been identified, the next step is to classify them based on their severity. This classification helps in prioritizing the remediation efforts, with the most severe vulnerabilities being addressed first.
The classification of Common Vulnerabilities and Exposures (CVEs) typically involves assigning a severity score to each vulnerability. This severity score, calculated using scoring systems such as the Common Vulnerability Scoring System (CVSS) v3 or the Exploit Prediction Scoring System (EPSS), takes into account various factors such as the potential impact of the vulnerability and the complexity of exploiting it. The higher the score, the more severe the vulnerability.
6. Reporting on Vulnerabilities
The final step in the vulnerability scanning process is reporting on the identified vulnerabilities. This report typically includes details such as the affected hosts, the identified vulnerabilities, their severity scores, and recommended remediation actions. This is typically the final product of an automated vulnerability scanning tool.
How Often Should You Perform Vulnerability Scanning?
External vs. Internal Scanning
The frequency of vulnerability scanning depends on various factors such as the size and complexity of your network, the sensitivity of the data it handles, and the regulatory requirements your organization needs to comply with. However, as a general rule of thumb, it's recommended to perform vulnerability scanning on a regular basis, preferably at least once a week, or even daily for sensitive systems.
Regular vulnerability scanning allows you to stay on top of new vulnerabilities that may have been introduced since the last scan. It also enables you to verify that the remediation actions taken after the last scan have been effective in mitigating the identified vulnerabilities.