A vulnerability scanner is software application that assesses security vulnerabilities in networks or host systems and produces a set of scan results. However, because both administrators and attackers can use the same tool for fixing or exploiting a system, administrators need to conduct a scan and fix problems before an attacker can do the same scan and exploit any vulnerabilities found. This article provides a general overview of vulnerability scanners.
WHAT IS A VULNERABILITY SCANNER ?
A vulnerability scanner can assess a variety of vulnerabilities across information systems (including computers, network systems, operating systems, and software applications) that may have originated from a vendor, system administration activities, or general day-to-day user activities:
1. Vendor-originated: this includes software bugs, missing operating system patches, vulnerable services, insecure default configurations, and web application vulnerabilities.
2. System administration-originated: this includes incorrect or unauthorised system configuration changes, lack of password protection policies, and so on.
3. User-originated: this includes sharing directories to unauthorised parties, failure to run virus scanning software, and malicious activities, such as deliberately introducing system backdoors.
THE BENEFITS OF VULERABILITY SCANNERS
Firstly, a vulnerability scanner allows early detection and handling of known security problems. By employing ongoing security assessments using vulnerability scanners, it is easy to identify security vulnerabilities that may be present in the network, from both the internal and external perspective.
Secondly, a new device or even a new system may be connected to the network without authorisation. A vulnerability scanner can help identify rogue machines, which might endanger overall system and network security. Thirdly, a vulnerability scanner helps to verify the inventory of all devices on the network. The inventory includes the device type, operating system version and patch level, hardware configurations and other relevant system information. This information is useful in security management and tracking.
THE LIMITATIONS OF VULERABILITY SCANNERS
The drawbacks of vulnerability scanners are:
1. Snapshot only: a vulnerability scanner can only assess a “snapshot of time” in terms of a system or network’s security status. Therefore, scanning needs to be conducted regularly, as new vulnerabilities can emerge, or system configuration changes can introduce new security holes.
2. Human judgement is needed: Vulnerability scanners can only report vulnerabilities according to the plug-ins installed in the scan database. They cannot determine whether the response is a false negative or a false positive1. Human judgement is always needed in analysing the data after the scanning process.
TYPES OF VULNERABILITY SCANNER
Vulnerability scanners can be divided broadly into two groups: network-based scanners that run over the network, and host-based scanners that run on the target host itself.
A network-based scanner is usually installed on a single machine that scans a number of other hosts on the network. It helps detect critical vulnerabilities such as mis-configured firewalls, vulnerable web servers, risks associated with vendor-supplied software, and risks associated with network and systems administration.
Different types of network-based scanners include:
1. Port Scanners that determine the list of open network ports in remote systems;
2. Web Server Scanners that assess the possible vulnerabilities (e.g. potentially dangerous files or CGIs) in remote web servers;
3. Web Application Scanners that assess the security aspects of web applications (such as cross site scripting and SQL injection) running on web servers. It should be noted that web application scanners cannot provide comprehensive security checks on every aspect of a target web application. Additional manual checking (such as whether a login account is locked after a number of invalid login attempts) might be needed in order to supplement the testing of web applications.
A host-based scanner is installed in the host to be scanned, and has direct access to low-level data, such as specific services and configuration details of the host’s operating system. It can therefore provide insight into risky user activities such as using easily guessed passwords or even no password. It can also detect signs that an attacker has already compromised a system,
including looking for suspicious file names, unexpected new system files or device files, and unexpected privileged programs. Host-based scanners can also perform baseline (or file system) checks. Network-based scanners cannot perform this level of security check because they do not have direct access to the file system on the target host. A database scanner is an example of a host-based vulnerability scanner. It performs detailed security analysis of the authorisation, authentication, and integrity of database systems, and can identify any potential security exposures in database systems, ranging from weak passwords and security mis-configurations to Trojan horses.
CHOOSING A VULNERABILITY SCANNER
The following factors should be considered when selecting a vulnerability scanner:
1. Updating Frequency and Method of Plug-in Updates
Usually, a vulnerability scanner cannot identify a vulnerability if its corresponding “plug-in” is not available. As a result, the faster a vendor can produce updated and new plug-ins, the more capable a scanner is in spotting new flaws. Also, scanners with an “auto-update” feature can automatically download and install the latest plug-ins on a regular basis. This should be considered when choosing a vulnerability scanner.
2. Quality versus Quantity of Vulnerabilities Detected
The accuracy with which critical vulnerabilities are identified is more important than the number of vulnerability checks, because the same vulnerability may be counted more than once by the scanner. The effective number of vulnerabilities in terms of Common Vulnerabilities and Exposures (CVE)3 can be compared in a list of standardised names for vulnerabilities and other information security exposures. The content of a CVE is a result of a collaborative effort by the CVE Editorial Board.
3. Quality of Scanning Reports
Apart from the details of detected vulnerabilities, a useful scanning report should give clear and concise information about fixing the problems uncovered. When administrators need to perform subsequent scans after initial scanning or configuration changes, or make comparison between the results of previous scans, a scanner with a back-end database that can keep an archive scanning results for trend analysis is preferable.
A number of open source freeware or commercial vulnerability scanners are available for download or trial. The following are examples:
1. Network-based scanners
a. Port scanners
Nmap : http://insecure.org/nmap/
d. Web application vulnerability scanners
Paros : http://parosproxy.org/index.shtml
Acunetix Web Vulnerability Scanner (commercial) :
2. Host-based scanners
a. Host vulnerability scanners
Microsoft Baseline Security Analyser (MBSA)
Altiris SecurityExpressions (commercial) :
b. Database scanners
Scuba by Imperva Database Vulnerability Scanner:
Shadow Database Scanner