Networks are the enabler of organizations in the digital age. The dynamic nature of on-premises and cloud network environments requires continuous vulnerability management to defend against the ever evolving threat landscape.
In this article, we’ll look at network scanning which is the process to identify and classify weaknesses in the network. It is a prerequisite for the successful mitigation of known vulnerabilities.
What is a vulnerability scanner?
A vulnerability scanner is an application that detects the hosts in a network and attempts to identify the services that are exposed by those systems. This is often considered the reconnaissance phase of a scan.
It then tries to catalog the software version of detected services and checks them against databases of vulnerabilities to identify security weaknesses.
Some scanners will also attempt to exploit services by using default or well-known credentials and or test for other common security risks. This step is the vulnerability verification phase.
All network hosts and their vulnerabilities are stored in an inventory and once the scan is finished a report is created which can be used to improve the security posture of the organization.
There is a large number of commercial and open-source scanners available. Each comes with individual strengths and weaknesses and some companies run multiple scanners to protect their network.
External and internal
A network scan for vulnerabilities can be performed from inside a network or from outside the protected perimeters. Both approaches aim to identify flaws that an attack can exploit.
The scan from external will document the services and potential vulnerabilities that are accessible directly from the internet.
With the common occurrence of insecure cloud-based configurations, the external scans are especially important to gain confidence in the security posture of the setup.
Internal scans, on the other hand, aim to identify weaknesses inside the network and support a defense in depth security approach. These scans protect against threat actors or hackers that have already gained access to the local networki and try to exploit more systems.
Tsunami - a open-source network security scanner
Google has released a general-purpose network security scanner for detecting vulnerabilities. The project is called Tsunami and is maintained by the open-source community on Github.
It uses nmap for the reconnaissance phase and tests for known passwords with ncrack.
Currently, the plugins for the exploitation of vulnerabilities are rather limited but this is expected to change in the coming months.
Tsunami is a great way to get started with scanning networks for vulnerabilities. The project encourages collaboration and anyone can support it by adding detectors.
Other network security measures
Scanning for known vulnerabilities is sometimes confused with other security measures. It is worthwhile to understand the different procedures and their purpose.
Penetration Test
It depends on the scope but in general a penetration test is a simulated cyberattack on computer systems, processes, and employees to evaluate the overall security posture of an organization. The tools and techniques used in such a pentest are the same a hacker would use.
Penetration tests can surface complex security weaknesses that require coordinated human activities, rather than the execution of automated code.
Application Security Test
A specialized vulnerability test for applications that include the analysis of the source code. Application security testing is effective in detecting known security issues with software-components or hardcoded passwords.
There is static security testing (SAST) which aims in testing code before compilation and dynamic security testing (DAST) which examines the application during run-time.
Threat Detection
The goal of this activity is the detection of malicious activities in the network. It includes the search for compromised systems, discovering the exfiltration of data, and the unmasking of malicious user behavior.
The tools of the trade are a sophisticated SIEM system, the monitoring of indicators and adaptive scanning for changes in the network.
Recap
Misconfigurations and security vulnerabilities are actively exploited by attackers. Knowledge about the weaknesses in a network is the first step in a successful mitigation.
Vulnerability scanning is therefore an important activity to improve the security of an organization’s network.