| technology | system admin - Jon Welling
3 Types of Vulnerability Scans: Discovery, Full, Compliance
So, you want to be a White Hat hacker and start penetration testing for businesses. That James Bond-ish hacker life excites you. Before you can start hacking your way to greatness, though, you need to learn how to perform proper penetration tests. One of the things you need to learn is how to scan for vulnerabilities. You've heard of scanning for vulnerabilities, but you don't know too much about it. So, today, we are going to give you a brief overview of what vulnerability scanning is and what three different types of vulnerability scans are.
What is Vulnerability Scanning?
Vulnerability scanning is the act of probing an information network or computer system for any known exploits or weaknesses in security. By finding existing exploits or weaknesses in security, security professionals can use that information to either strengthen the security of a computer system or break into a computer system.
That's a very sterile way of saying that vulnerability scanning is for finding broken things in your computer security. That isn't to say that you perform vulnerability scans to find new issues in a computer. That is a different type of research. Vulnerability scanning looks for existing types of flaws and security issues.
For instance, a security professional or IT administrator might scan their network to find any computers that would be susceptible to attacks like Heartbleed or WannaCry. Both HeartBleed and WannaCry use existing flaws in the Windows OS to use as an attack vector as well as spread themselves. By finding which computers still expose the vulnerabilities that both of those exploits use, IT administrators can fix them with the hopes of mitigating any successful attacks from those exploits.
Vulnerability scanning is a must in today's IT world. In fact, some certifications require specific types of vulnerability testing. For example, for a business to remain PCI compliant, it must pass specific internal and external vulnerability checks. As new exploits are discovered, they may be added to the list of checks for PCI compliance. That means organizations need to constantly audit their information networks for vulnerabilities to remain PCI compliant.
Even though a business doesn't need to maintain compliance for industry certifications, that doesn't mean they won't need to continuously audit their IT systems and scan their infrastructure for vulnerabilities.
For instance, a new exploit was recently released that uses the Windows Print Spooler as an attack vector. The currently recommended mitigation for that exploit is by disabling the Windows Print Spooler on each system. Some computer systems may need the Windows Print Spooler active, though. In these cases, IT administrators may not be able to deploy a mass group policy that disables the Windows Print Spooler. Instead, administrators can scan their networks for any computers that have the Print Spooler active and disable that service computer by computer.
Discovery Scanning vs. Full Scanning vs. Compliance Scanning
Depending on the reasoning for performing a vulnerability scan on an information network, you may need to perform a different type of scan. There are a lot of vulnerability scanning tools available to IT pros, both paid for service and free tools. Each tool acts differently, though. Because of that, different tools can be used for different purposes. Depending on who you ask, these different types of vulnerability scans may have different names but they fall into one of three types:
- Discovery Scanning
- Full Scanning
- Compliance Scanning
Let's start with full vulnerability scanning. Full vulnerability scanning is the act of looking for every possible vulnerability on a network or computer system using every tool possible. While performing full vulnerability scanning, the security researcher or IT administrator doesn't care if anyone notices them performing these scans, and they don't care if they draw attention to themselves. By its nature, full vulnerability scanning can be very noisy because you are poking and prodding at every possible corner of the network.
On the other hand, discovery vulnerability scanning is only used to triage a network. Discovery scanning can be a quieter process depending on which tools you use. The goal of discovery scanning isn't to find every single exploit available on a network but rather just to get an idea of what kinds of devices live on a network and what kinds of vulnerabilities might be possible. Discovery scans are used to create a game plan for both full scans and compliance scans.
Depending on why you are scanning a network, you may need to run a stealth scan, too. Stealth scans tend to be performed during discovery scanning, but discovery scans may not always be stealthy. For example, a Whitehat hacker hired to audit a business's IT security may want to simulate an active attack on that business's network. During that simulated attack, that Whitehat hacker won't want that business to know that they are under attack. That hacker is going to act like a real, malicious hacker.
Compliance vulnerability scans are used to audit security for compliance reasons. For example, PCI certification requires that businesses meet certain criteria including not being at risk of certain vulnerabilities. Organizations can use vulnerability scans to audit their security to test for compliance.
2 Effective Tools for Vulnerability Scanning
There are tons of tools that security researchers use for vulnerability scanning. For instance, IT pros can use a tool like NMAP or a script that pings IP addresses to find and map devices on a network. We have something a little better for you, though. Below are two tools you can use to kick drive your vulnerability scanning into high gear immediately.
Vuln Scan Tool #1: Nessus
Nessus is a paid product, but they do offer some tools for free. For instance, you can scan 16 IP addresses for free with their Essentials package. However, Nessus offers some neat features that aren't included with other vulnerability scanners. One of those features is pre-packaged scans designed for specific compliance needs. If you need to test your network or computer systems, both internally and externally, for PCI compliance, you can do that with Nessus with the push of a single button. Performing PCI compliance vulnerability scanning might otherwise require a lot of different tools and time.
Hands-On Vuln Scanning with Nessus [VIDEO]
In this video, Shawn Powers covers three different types of vulnerability scans. Vulnerability scans expose the ways your system can be taken advantage of or even show you how to break into a system. Watch as Shawn walks you through using Nessus in a Kali Linux environment to demonstrate what it detects and how.
If you are a professional cybersecurity researcher, or your business requires regular compliance scanning for security vulnerabilities, the cost of Nesses might be worth every penny to you.
Vuln Scan Tool #2: OpenVAS
OpenVAS is a free-to-use, open-source vulnerability scanner provided by Greenbone networks. It is a web-based tool that communicates with local services on your computer to perform security vulnerability scans. Each type of scan uses open-source modules that are continuously updated.
You can find more information about OpenVAS here.
We covered a lot of information in this article, so let's go over that information in a 'too long, didn't read' format. Vulnerability scanning is the act of probing an information network or computer system for any known exploits or weaknesses in security.
Though different security pros might have different names for the various types of vulnerability scans or phases in security exploit detection, security scanning typically falls under one of three categories:
- Discovery Scanning
- Full Scanning
- Compliance Scanning
Discovery scanning is used to triage a network and get an idea of what kinds of computers and devices might be on that network. Discovery scanning may or may not be stealthy depending on the tools that are used. Full scanning is the act of trying to find every single exploit on a network. Full scans are never stealthy. Finally, compliance scanning is only used to check for specific vulnerabilities and security mechanisms to meet compliance.