What is vulnerability scanning?

The textbook answer:

The automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened.

My thoughts:

House with barbed wire on wall

House Analogy

Imagine a computer is your house.  Much like the doors and windows are ways an intruder can get into your house, network ports are the ways an intruder can get into your computer.  Now different network ports on a computer run services with different characteristics, much like your garage door has different characteristics from your front door and bedroom window and sliding glass patio door, etc.  If a smart intruder were trying to break into your house, they would carefully examine each entry point differently, observing and taking into consideration the different characteristics of that door or window to find the most successful way in.  A vulnerability scanner does just that for network ports on a computer in an automated way.  It probes and queries open ports using questions and rules that are known to produce answers from the computer that help determine if it is vulnerable to a known security exploit.

As you can imagine, given the number of network ports available on a computer, the number of possible implementations of a service running on each port, the number of different rules used to probe each possible service, and the number of computers on a network, using an automated tool to speed up that process is a life saver.  However sometimes false positives can occur when the computer, often with a non-standard or altered service, responds back to a probe matching a rule that the scanner thinks is a vulnerability when it really isn’t.  Also if the computer is running an especially buggy service, it might become unresponsive or crash when being queried, but this is rare especially with “safe checks only” settings enabled in common vulnerability scanners.  But manually verifying false positives and dealing with the occasional buggy service are a small price to pay for the tremendous benefits you get from running an automated tool to catch and fix vulnerabilities before a real attacker finds and exploits them.

Vulnerability Scanning versus Penetration Testing

Vulnerability scanning is different than penetration testing.  While vulnerability scanning is the probing and examining of entry points to determine if there is a way in, a penetration test is actually attempting to exploit the vulnerability to get in, actually taking a hammer and trying to break your window and knock down your door.  Vulnerability scanning is less intrusive, and you’d usually want to run those first, especially on production systems.  Penetration testing is often used later in some cases to prove a vulnerability found is exploitable, or to truly simulate what an attacker could do to your system.

As part of the University of California’s increased information security efforts (https://www.oit.uci.edu/news/information-security-efforts/), the OIT Security Team is first performing vulnerability scanning of computers on campus that have registered ports open on the border firewall over the next few months.  We use Tenable Nessus as the scanning tool, all plugins enabled, scanning default well-known ports, with safe checks enabled, not using credentials to login to the computer, and web application scanning enabled to check for simple “low hanging fruit” unauthenticated web programming vulnerabilities.  After a scan is run (with thousands of computers on campus, we run them in phased batches), we take the output from the tool, extract the relevant and actionable information into an easy to use spreadsheet that includes criticality, host, port, vulnerability description and recommended solution, and send it to the registered contact(s) of the computer in Server Registration so that they can fix the vulnerabilities.  It is important that they take action on these reports, fixing vulnerabilities and/or manually determining if they are false positives prioritized by criticality, and requesting a rescan to verify when they are fixed.  We are also tracking detailed metrics of the scanning progress and findings to feed into a campus risk scorecard.

On-going Effort

A vulnerability scan isn’t a one-time effort either.  As computers are constantly being changed and upgraded, new vulnerabilities can be introduced or old vulnerabilities can be realized in existing code.  Running vulnerability scans on a periodic basis is an information security best practice.

Hopefully this sheds some light on what vulnerability scanning is all about, why it is important, what service the OIT Security Team is providing, and how it fits into our current information security efforts on campus.  We are also looking into providing an improved enterprise self-service vulnerability scanning tool in the future.