Vulnerability Scanning Methodologies

Vulnerability Scanning Methodologies
Page content

Just What Is a Vulnerability Scan?

IT security administrators fight a constant battle against external and internal threats to their networks. Securing the vast array of servers, workstations, routers, switches and other appliances requires constant attention. One of the methods security administrators use to secure their environment is the vulnerability scan.

A vulnerability scan probes a network much in the same way a hacker might look for ways in. Port scans, SQL injections, cross-site scripting, buffer overflows and other hacker techniques can be part of a vulnerability assessment. Several tools exist that allow the administrator to automate the process of scanning a network. At the same time, companies often hire outside firms that use different methodologies to attempt to gain access to the environment.


Tenable Network Security produces a popular vulnerability scanning tool known as Nessus. Originally a free open-source application, Tenable still provides a no-cost version for use on individual computers. Administrators wishing to scan their entire network must acquire the full commercial version.

Administrators can choose from a wide array of plugins depending on their network design and the operating systems used. Once the application is installed and running, the administrator builds a policy. The policy details which tests and vulnerabilities to run. Care must be taken to select only the tests necessary as some tests can be very intrusive and even destructive to the network.

When the policy is built the administrator runs a scan based on the policy. A report is generated with the results of the scan detailing what potential vulnerabilities exist.

Retina Network

eEye Digital Security makes a rival product known as Retina. Similar to Nessus, Retina Network allows administrators to scan their networks looking for vulnerabilities. Retina Network provides additional features designed to prevent security staff from performing scans that may cause problems on the network itself. eEye Digital Security also provides additional integrated products to provide detailed reporting, patch management and even provide compliance reporting.

Compliance reporting allows the administrators to understand how secure their environments are relative to external requirements such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley, HIPAA or other regulatory standard.

Tripwire Enterprise

Tripwire Enterprise provides a different methodology for vulnerabilty scanning. Instead of performing active scans against individual hosts, the application gathers configuration data and stores it centrally. Tests are then run against the stored data looking for configuration items that may be misconfigured. Another difference is that Tripwire Enterprise tests the systems against external standards such as Center for Internet Security, ISO 27001, PCI and other requirements.

This permits the adminstrator to perform the configuration assessments more frequently against the network than traditional vulnerability scans. Reports then detail which systems have vulnerabilities and how to correct them. In addition the application also provides the capability of also automatically correcting misconfigured systems to bring them into compliance.

Penetration Testing

Penetration testing is a completely different methodology for doing vulnerability scans. Companies that perform penetration testing use tools like Nessus or Retina Network to perform some of the work they do but they take their testing even further by sometimes directly attacking an environment as if they were hackers. Hacker tools like Metasploit and netcat take advantage of known exploits and provide the penetration tester with direct access to the environment.

Penetration testers also examine the human element of network security. They test the physical security of the facility finding ways to bypass locked doors by acting like employees or vendors. The penetration tester may also leverage social engineering by calling an employee pretending to be another staff member. Such methods often allow the tester to gain passwords and other critical information they can use to hack into the network.

The Dangers of Vulnerability Scanning

As noted previously some vulnerability scanning methodologies can be quite intrusive or even damaging to the network. Scans must not be performed without prior approval from upper management and only after all the risks are understood. Only authorized employees can perform the scans or even have the tools installed on their workstations.

Accomodations must also be made for testing a production environment. Mistakes made while testing production systems can literally prevent a company from doing their business in a timely manner. At the same time not testing the production environment leaves it vulnerable to hackers due to undetected vulnerabilities.


Tenable Network Security: Nessus:

eEye Digital Security: Retina Network:

Tripwire Enterprise:

Skoudis, Ed, Computer and Network Hacker Exploits: Security 504 Day 2, SANS, 2011

Image Credit: jscreationzs /