Users wishing to protect their computing systems are all too aware of the potential for their systems to be compromised. Compromise occurs when a vulnerability is exploited. It could be a weak password (or even no password), or a service which requires no authentication that yields the ability to execute code from outside that system by an unauthorized user.
Researchers both good and bad are seeking to find these vulnerabilities in the base operating systems, their components & drivers as well as additional software such as Office applications so it’s a game of ‘cat and mouse’. Of course the good folks will follow a recognised process to report the vulnerability to the respective vendor, whilst the bad folks seek ways to use the vulnerabilities to compromise or further their level of ingress into systems not theirs.
Scanning is the term generally used to describe the process of searching for vulnerabilities, and can take place either by internally installed agent, or externally by roving network access from a scanner (think nmap for discovering hosts).
Remote network scanners send network packets to the target machine in order to establish OS type, and open ports. This information is used then to test for services hosts behind the open ports, and if possible remotely log in to the system. If login is possible poke around in the system for services running, files & their versions, configurations.This information is reported to a central repository.
Agents in the past would do something similar to the remote scanners by accessing many files and validating their versions and checking on the fly against a set of known vulnerabilities and file associations. More modern agents collect details of files, software and configurations as an inventory and bring back to a central repository where the data are processed and assessed.
Endpoint management systems have expanded their capabilities to include inventory-type analysis as above, and along with protection information provide vulnerability detail about the system.
The majority of vulnerability assessment vendors present collections of vulnerabilities per host, such that analysts can use this information to prioritize the patching of the vulnerabilities. These are ordered by default with the critical-rated vulnerabilities at the top in most systems.
Analysts, managers and operations folks want to know which vulnerabilities are most important to patch. Some Vulnerability Management systems provide mechanisms for adding threat-related input to raise or lower vulnerabilities’ scores based on prevalence (of the flawed software), exploit code availability, etc. We look at this in another section.
Reports produced typically are used by operations leaders to issue the team responsible for the asset a remediation plan. Later scanning will repeat this process, and the expectation is that the vulnerability no longer exists in that asset.
Vendors and Tools
The market for Vulnerability Assessment and Vulnerability Management is quite mature at this point, although there are other vendors lately who are able to report presence of vulnerabilities in managed systems. At Axonius we are able to retrieve vulnerability data from a range of platforms, the most common being
- Tenable (Tenable.io; Tenable.sc; Nessus)
- Rapid7 (Nexpose; InsightVM)
- CrowdStrike (Spotlight)
- Greenbone OpenVAS