Skip to main content

Module 5. Defining the Vulnerability Scanning Process

Vulnerability Scanning#

Vulnerability scanning is different to pen testing as it is generally non-intrusive, and works hand in hand with pen testing. It can be done with our without credentials.

Consent should always be gained before starting vulnerability or pen tests and that you are always operating within the obtained permissions and that proper documentation is kept and authorisation forms are on hand.

Passive Test#

Vulnerability tests are by nature a passive test, they will typically have:

  • no disruption to the business
  • reports and observations of findings
  • no downtime for applications, systems or services.

Identify Vulnerabilities and lack of Security Controls#

Scanners will report on the various vulnerabilities that have been found, which may include

  • Missing patches.
  • Security Misconfigurations
  • Known exploits

Often the security controls may not just be misconfigured or missing a patch but could be missing altogether. For example:

  • Antivirus or Firewalls not installed
  • Missing patches

These types of misconfigurations may be uncovered by reviewing logs or interview personnel

Identify Common Misconfigurations#

Nessus, Metasplot and other applications can identify misconfigurations.

Either using automated tools or manually the following vulnerabilities should be checked:

  • Open Ports.
  • Weak Passwords.
  • Active default username and passwords.
  • Sensitive data leaks.
  • Create a security baseline and audit against that to check for unauthorised changes.

Intrusive vs Non-Intrusive#

Intrusive Testing can disrupt normal operations and have a higher chance or causing system degredation or down time.

Non-Intrusive Testing only identifies vulnerabilities and reports findings for later remediation.

Credentialed vs Non-Credentialed#

Scans and tests can be run with, or without, system or network credentials.

Credentialed access is easier and has less impact on the scanned systems and is often more accurate

Non-Credentialed will typically require more resources and a brute force approach or trying multiple attack vectors

Attackers typically start with non-credentialed attacks and may use attacks like SQL or LDAP Injection, Cross site scripting or other attack vectors to the gain elevated access.

False Positive#

No systems are perfect and occasionally return false positives and you need to be able to identify a vulnerability that doesn't exist and this means that results need to be verified and audited

Things to Remember#

  • Obtain consent
    • Very important to obtain consent
    • Pen testing or vulnerability scanning without consent can be considered an attack
  • Review Company guidelines and rules of engagement
  • Identify and assess the testers skill and background
    • Verify and obtain references
    • Tester could potentially have access to company sensitive data