1.5 Explain vulnerability scanning concepts.

Question 1

Passively Test Security Controls

Answer 1

An important point about a vulnerability scan is that it does not attempt to exploit any vulnerabilities. Instead, a vulnerability scan is a passive attempt to identify weaknesses. This ensures that the testing does not interfere with normal operations. Security administrators then assess the vulnerabilities to determine which ones to mitigate. In contrast, a penetration test (covered later in this chapter) is an active test that attempts to exploit vulnerabilities.

Question 2

Identify Vulnerability

Answer 2

Vulnerability scanners utilize a database or dictionary of known vulnerabilities and test systems against this database. For example, the MITRE Corporation maintains the Common Vulnerabilities and Exposures (CVE) list, which is a dictionary of publicly known security vulnerabilities and exposures. This is similar to how antivirus software detects malware using virus signatures.

The difference is that the CVE is one public list funded by the U.S. government, whereas antivirus vendors maintain proprietary signature files.

Other standards used by vulnerability scanners include the Security Content Automation Protocol (SCAP). SCAP utilizes the National Vulnerability Database (NVD), which includes lists of common misconfigurations, security-related software flaws, and impact ratings or risk scores. The risk scores quantify risks, allowing security experts to prioritize vulnerabilities. The SCAP also includes risk scores for items in the CVE.

Question 3

Identify Lack of Security Controls

Answer 3

Vulnerability scanners can also identify missing security controls, such as the lack of up-to- date patches or the lack of antivirus software. Although many patch management tools include the ability to verify systems are up to date with current patches, vulnerability scanners provide an additional check to detect unpatched systems.

Question 4

Identify Common Misconfigurations

Answer 4

Additionally, attackers often look for systems that are misconfigured and vulnerability scanners can detect some common misconfiguration settings. Some of the vulnerabilities and common misconfigurations discovered by a vulnerability scanner include:

1. Open ports
2. Weak passwords
3. Default accounts and passwords
4. Sensitive data
5. Security and configuration errors

Question 5

Intrusive vs. Non-intrusive

Answer 5

Scans can be either intrusive or non-intrusive. You can also think of these terms as invasive and non-invasive, respectively. Tools using intrusive methods can potentially disrupt the operations of a system. In contrast, tools using non-intrusive methods will not compromise a system. These terms also apply to penetration testing (intrusive) and vulnerability scanning (nonintrusive).

When comparing penetration testing and vulnerability scanning, it’s important to remember that penetration tests are intrusive and more invasive than vulnerability scans. They involve probing a system and attempting to exploit any vulnerabilities they discover. If they successfully exploit a vulnerability, a penetration test can potentially disrupt services and even take a system down.

Vulnerability scans are generally non-intrusive and less invasive than penetration tests. They never attempt to exploit a vulnerability. Because of this, a vulnerability scan is much safer to run on a system or network because it is significantly less likely that it will affect services.

Question 6

Credentialed vs. Non-credentialed

Answer 6

Vulnerability scanners can run as a credentialed scan using the credentials of an account, or as non credentialed without any user credentials.

Attackers typically do not have credentials of an internal account, so when they run scans against systems, they run non-credentialed scans.

Security administrators often run credentialed scans with the privileges of an administrator account. This allows the scan to check security issues at a much deeper level than a non- credentialed scan. Additionally, because the credentialed scan has easier access to internal workings of systems, it results in a lower impact on the tested systems, along with more accurate test results and fewer false positives.

It’s worth mentioning that attackers typically start without any credentials but use privilege escalation techniques to gain administrative access. This allows them to run a credentialed scan against a network if desired. Similarly, even though a credentialed scan is typically more accurate, administrators often run non-credentialed scans to see what an attacker without credentials would see.

Question 7

False Positive

Answer 7

Unfortunately, vulnerability scanners aren’t perfect. Occasionally, they report a vulnerability when it doesn’t actually exist. In other words, the scan indicates a system has a known vulnerability, but the report is false.

As an example, a vulnerability scan on a server might report that the server is missing patches related to a database application, but the server doesn’t have a database application installed.

This is similar to false positives in an intrusion detection system (IDS) where the IDS alerts on an event, but the event isn’t an actual intrusion.

Similarly, an antivirus scanner can identify a useful application as malware, even though the application does not have any malicious code.

False positives can result in higher administrative overhead because administrators have to investigate them.