What is a Network Vulnerability Scanner?

Network vulnerability scanners compare the never-ending lists of published critical vulnerabilities against the real-time activity of an enterprise’s network, picking up potential attack paths and streamlining last-minute protection. They’re a key component within every security toolbox.

Request A Demo Learn more

How A Network Vulnerability Scanner Works

Here’s how a network vulnerability scanner works.

#1: Create Asset Inventory

Identifying assets is a foundational objective when initiating a scan. Most tools offer this automatically, and some others require you to install agents on local devices you have direct access to.

Passive scanning techniques are able to quietly log the traffic being broadcasted around a particular network, whereas active scanning plays a greater role in the next step.

#2: Establish Attack Surface

From there, the network vulnerability scanner begins to work out the different apps and software running on the network’s hosts. The scanner sends a flow of specialized packets, and carefully assesses how each host responds. The pattern of responding packets then gives clues to what network-connected software is installed.

Landmarks such as the TCP options, window sizes, and time-to-live values are compared against an internal database of metrics – eventually leading to a best-confidence guess.

This remote detection works great for identifying cloud-based servers and web apps.

Other active scans work by installing lightweight agents, which then collect more in-depth data about programs on the device that may not be immediately accessible via the network. This provides a more in-depth picture for the scanner’s security tools in the next step.

#3: Identify Potential Threats

The network vulnerability scanner then compares all assets against their corresponding vulnerability databases. This is often a vendor’s inhouse database, but can also be taken from public repositories such as the National Vulnerability Database.

Scanners may also take a slightly different approach, like checking software configurations against a list of best practices – such as the correct authentication criteria being used for a sensitive database.

Alongside any overlap with known exploits, a modern vulnerability scanner should also scan for potential attack paths. This maps an attacker’s potential movements toward highly-sensitive resources and databases. This is a key benefit to local scans, as they detect local flaws that can be used for privilege escalation and lateral movement.

With all these in place, the scanner is able to map complete or partial attack paths.

#4: Generate Reports

Having assessed the width of your attack surface, each vulnerability and attack path is condensed into a readable report. From here, it’s up to your security team to implement the necessary changes.

The 2 Types of Network Vulnerability Scanning Tools

Vulnerability scans can be performed from both outside and inside the network that’s being tested.

For a quick overview, external scans are good at determining attack points that can be accessed from the public internet; internal scans, on the other hand, are able to find flaws within a network that an attacker could use to move laterally after they’ve gained access.

Authenticated scans

Authenticated, or credentialed, scans are named due to their requirement for valid account credentials or access rights to the target system. They let the analysis process include:

  • User-specific settings
  • Access controls
  • Permissions

This means it can find local malware files and spot weak password configurations. Still too many practitioners assume that authenticated scans need to be run locally.

However, remote assessment is now possible in a lot of tools on the market. Whether remotely targeting devices by IP address, or scanning the relevant Windows services – once configured, the targeted devices are then scanned regularly for software vulnerabilities.

This deeper visibility means that authenticated scans often produce longer vulnerability lists, and there’s a higher risk of false positives. Knowing how to string these into potential attack patterns – and therefore, a corresponding remediation process – is what separates a good vulnerability scanner from the best.

Unauthenticated scans

Unauthenticated scans are performed externally and do not require specific credentials or access rights. The port scanning process we’ve already touched on is an example of unauthenticated scanning, as is network mapping.

It’s this that does a lot of the heavy lifting for protecting vulnerable networks: it allows for the detection of publicly-accessible coding flaws such as:

Essentially, unauthenticated scans allow for the discovery of any vulnerability involving user input from the Internet.

How to Maximize Your Vulnerability Scans

By following a number of best practices, your vulnerability scans can become significantly more productive.

#1: Take a Hybrid Approach

On the surface, unauthenticated scans seem far more useful. Because they’re minimally resource-demanding, it’s easier to run them often, especially in a hurry.

But, for organizations that use identity and access management providers, loading up credentials for authenticated scanning can be made far quicker. Some market-leading tools now allow for rapid credential onboarding – meaning that credentialed scans can be performed at a similar pace to unauthorized ones.

This allows for far more in depth internal network security testing. Alongside this, some scanning tools are now able to test devices’ resilience to credential stuffing by attempting logins with default and high-risk credentials.

As scans blur the lines between vulnerability detection and penetration testing, choose maximum efficiency.

#2: Choose the Correct Frequency

The more scans are performed, the higher the chance of a misconfiguration or security vulnerability being found before it’s exploited in the wild. However, too many risks system instability and higher costs. This is why it’s best to choose appropriate times to run smaller, segmented scans.

This also helps you spot false positives, as there’s less noise within targeted scans. The most timely scans are made just after implementing new controls. This secondary scan confirms whether the new controls and fixes have solved the issue – and makes sure no new problems were introduced.

These smaller-scale scans are also ideal for assessing any malicious file collaboration events.

As for industry compliance, the specific demands can vary:

  • No given timeframes: SOC 2 and ISO 27001
  • Quarterly to once a year: HIPAA, PCI DSS and GDPR

However, note that these timings aren’t necessarily right for every business, it depends on your own risk tolerance, and your starting point.

Implement Your Post-Scan Changes with Check Point Infinity

Check Point Infinity provides managed service support for network vulnerability assessment platforms across the industry: from Microsoft Defender, to Tenable One and Check Point’s own vulnerability scanners – rest easy in our experts’ continual scans, network security improvements, and monthly reports. Dig deeper into how we streamline vulnerability management today.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK