While running vulnerability scanning tools on a network, they should have a configuration that does not breake the operation, integrity and fragility of the infrastructure. They should be used in a sensitive and effective manner. Otherwise, the heaviest object in the universe might be your vulnerability scan report!
The consistency and reliability of vulnerability scan reports is the most vital necessity so that the report results should correlate with your assets without loss and exactly match vulnerabilities. To achieve this, there are a few settings in your vulnerability scanning tool that should not be overlooked. Let’s dive into them.
SYN Scan vs TCP Scan
In your environment, you are supposed to do your vulnerability scannings not in a surreptitious and undetected way, but rather informedly and intentionally. Therefore, using SYN scan is not the way. SYN scan does not maintain the reliability of your scan. It goes with estimations and ends with uncertainty due to mostly relying on the banner information, while it is quick. It does not establish a full TCP 3-way handshake during connecting with assets, unlike TCP scan. SYN scan results are quite likely inconclusive or incorrect.
A consistent option such as TCP scan, where the 3-way handshake is completed, and the connection table of the firewall can securely be established and then terminated regarding connections, is always much more reliable and also will ensure that the systems maintain their availability. Therefore, there is no harm in TCP scan. The only downside to TCP scan is that it is negligibly slower than SYN scan. To get more reliable scan results, TCP scan overweighs SYN scan despite negligible speed disadvantages.
Authenticated or Credentialed Scan
After a successful TCP connection to an asset, it will be a necessity to log into systems or applications by using credentials to get a deeper insight like identifying inner vulnerabilities, misconfigurations and loopholes. This type of scan also helps to properly pinpoint compliance problems, client or 3rd party software vulnerabilities and other inside exposures which cannot be detected from outside or by an external scan.
Vulnerability scanning tools usually requires administrator-level accounts on systems for a crendentialed scan. It means that you also have to handle the accounts passwords. So, these account passwords should be changed as soon as possible after a scanning. To rotate these account passwords automatically, you will need an enterprise password management tool as well.
Agent or Sensor Scan
Scanning with agents is an alternative to the credentialed scan. But it is not fully interchangeable with credentialed scan, since agents can miss network checks and remote connectivity things, enumeration over a network connection, etc. Also, it may require additional costs due to its licensing. But it removes the need for credential management. By the way, it causes lesser disruption to your environment due to working directly in your hosts. It extends the depth of the scan and provides continuous security.
Vulnerability scanning needs great attention and in-depth analysis. A tiny overlooked configuration can lead to wrong assessments and waste of time. Given the three important techniques above, it is quod erat demonstrandum that provides you essence of the vulnerability assessment. And they should be used together to get the most out of your scan.
The featured painting above is Fight for a Turkish Standard by Józef Brandt