What is vulnerability scanning?

15 December 2023

Authors

Matt Kosinski

Writer

Amber Forrest

Editorial Content Strategist

What is vulnerability scanning?

Vulnerability scanning, also called “vulnerability assessment,” is the process of evaluating networks or IT assets for security vulnerabilities—flaws or weaknesses that external or internal threat actors can exploit. Vulnerability scanning is the first stage of the broader vulnerability management lifecycle.

In most organizations today, vulnerability scans are fully automated. They are carried out by specialized vulnerability scanning tools that find and flag flaws for the security team to review.

Vulnerability exploitation is the second most common cyberattack vector behind phishing, according to IBM's X-Force® Threat Intelligence Index. Vulnerability scanning helps organizations catch and close security weaknesses before cybercriminals can weaponize them. For this reason, the Center for Internet Security (CIS) considers continuous vulnerability management, including automated vulnerability scanning, a critical cybersecurity practice.

Man looking at computer

Strengthen your security intelligence 


Stay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter. 


What are security vulnerabilities?

A security vulnerability is any weakness in the structure, function or implementation of an IT asset or network. Hackers or other threat actors can exploit this weakness to gain unauthorized access and cause harm to the network, users or the business. Common vulnerabilities include:

  •  Coding flaws, such as web apps that are susceptible to cross-site scripting, SQL injection and other injection attacks because of how they handle user inputs.

  • Unprotected open ports in servers, laptops and other endpoints, which hackers could use to spread malware.

  • Misconfigurations, such as a cloud storage bucket that exposes sensitive data to the public internet because it has inappropriate access permissions.

  • Missing patches, weak passwords or other deficiencies in cybersecurity hygiene.

Thousands of new vulnerabilities are discovered every month. Two United States government agencies maintain searchable catalogs of known security vulnerabilities—the National Institute of Standards and Technologies, or NIST, and the Cybersecurity and Infrastructure Security Agency, or CISA.

Mixture of Experts | 17 January, episode 38

Decoding AI: Weekly News Roundup

Join our world-class panel of engineers, researchers, product leaders and more as they cut through the AI noise to bring you the latest in AI news and insights.

Why vulnerability scanning matters

Unfortunately, while vulnerabilities are thoroughly documented once they are discovered, hackers and other threat actors often find them first, allowing them to catch organizations by surprise.

To adopt a more proactive security posture in the face of these cyberthreats, IT teams implement vulnerability management programs. These programs follow a continuous process to identify and resolve security risks before hackers can exploit them. Vulnerability scans are typically the first step in the vulnerability management process, uncovering the security weaknesses that IT and security teams need to address.

Many security teams also use vulnerability scans to

  • Validate security measures and controls—after putting new controls in place, teams often run another scan. This scan confirms if the identified vulnerabilities are fixed. It also confirms that the remediation efforts didn't introduce any new problems.

  • Maintain regulatory compliance—some regulations explicitly require vulnerability scans. For example, the Payment Card Industry Data Security Standard (PCI-DSS) mandates that organizations that handle cardholder data undergo quarterly scans.

How the vulnerability scanning process works

Between cloud and on-premises apps, mobile and IoT devices, laptops and other traditional endpoints, modern enterprise networks contain too many assets for manual vulnerability scans. Instead, security teams use vulnerability scanners to conduct automated scans on a recurring basis.

Identifying vulnerabilities

To find potential vulnerabilities, scanners first collect information on IT assets. Some scanners use agents installed on endpoints to gather data on devices and the software running on them. Other scanners examine systems from the outside, probing open ports to uncover details about device configurations and active services. Some scanners do more dynamic tests, like trying to log in to a device using default credentials.

After scanning the assets, the scanner compares them to a vulnerability database. This database records common vulnerabilities and exposures (CVEs) for various hardware and software versions. Some scanners rely on public sources like the NIST and CISA databases; others use proprietary databases.

The scanner checks whether each asset shows any signs of the flaws associated with it. For example, it looks for issues like a remote desktop protocol bug in an operating system. This bug could allow hackers to take control of the device. Scanners may also check an asset's configurations against a list of best security practices, like ensuring appropriately strict authentication criteria are in place for a sensitive database.

Prioritization and reporting

Next, the scanner compiles a report on the identified vulnerabilities for the security team to review. The most basic reports simply list every security issue that needs to be addressed. Some scanners may provide detailed explanations and compare scan results with previous scans to track vulnerability management over time.

More advanced scanners also prioritize vulnerabilities based on criticality. Scanners may use open source threat intelligence, like Common Vulnerability Scoring System (CVSS) scores, to judge the criticality of a flaw. Alternatively, they may use more complex algorithms that consider the flaw in the organization's unique context. These scanners may also recommend remediation and mitigation methods for each flaw.

Scheduling scans

A network's security risks change as new assets are added and new vulnerabilities are discovered in the wild. Yet, each vulnerability scan can only capture a moment in time. To keep up with the evolving cyberthreat landscape, organizations conduct scans regularly.

Most vulnerability scans don't look at every network asset in one go because it is resource- and time-intensive. Rather, security teams often group assets according to criticality and scan them in batches. The most critical assets may be scanned weekly or monthly, whereas less critical assets may be scanned quarterly or annually.

Security teams may also run scans whenever major network changes occur, like adding new web servers or creating a new sensitive database.

Some advanced vulnerability scanners offer continuous scanning. These tools monitor assets in real-time and flag new vulnerabilities when they arise. However, continuous scanning isn't always feasible or desirable. More intensive vulnerability scans can interfere with network performance, so some IT teams may prefer to hold periodic scans instead.

Types of vulnerability scanners

There are many different types of scanners, and security teams often use a combination of tools to get a comprehensive picture of network vulnerabilities.

Some scanners focus on particular kinds of assets. For example, cloud scanners focus on cloud services, while web application scanning tools search for flaws in web apps.

Scanners can be installed locally or delivered as software-as-a-service (SaaS) apps. Both open source vulnerability scanners and paid tools are common. Some organizations outsource vulnerability scanning entirely to third-party service providers.

While vulnerability scanners are available as stand-alone solutions, vendors increasingly offer them as part of holistic vulnerability management suites. These tools combine multiple kinds of scanners with attack surface management, asset management, patch management and other key functions in one solution.

Many scanners support integrations with other cybersecurity tools, like security information and event management systems (SIEMs) and endpoint detection and response (EDR) tools.

Types of vulnerability scans

Security teams can run different types of scans depending on their needs. Some of the most common types of vulnerability scans include:

  • External vulnerability scans look at the network from the outside. They focus on flaws in internet-facing assets like web apps and test perimeter controls like firewalls. These scans show how an external hacker could break into a network.

  • Internal vulnerability scans look at vulnerabilities from inside the network. They shed light on what a hacker could do if they got in, including how they might move laterally and the sensitive information they could steal in a data breach.

  • Authenticated scans, also called "credentialed scans," require the access privileges of an authorized user. Instead of just looking at an app from the outside, the scanner can see what a logged-in user would see. These scans illustrate what a hacker could do with a hijacked account or how an insider threat might cause damage.

  • Unauthenticated scans, also called "non-credentialed scans," have no access permissions or privileges. They only see assets from an outsider's perspective. Security teams can run both internal and external unauthenticated scans.

While each type of scan has its own use cases, there is some overlap, and they can be combined to serve different purposes. For example, an authenticated internal scan would show an insider threat's perspective. In contrast, an unauthenticated internal scan would show what a rogue hacker would see if they got past the network perimeter.

Vulnerability scanning versus penetration testing

Vulnerability scanning and penetration testing are distinct but related forms of network security testing. While they have different functions, many security teams use them to complement one another.

Vulnerability scans are automated, high-level scans of assets. They find flaws and report them to the security team. Penetration testing, or pen testing, is a manual process. Pen testers use ethical hacking skills to not only find network vulnerabilities but also exploit them in simulated attacks.

Vulnerability scans are cheaper and easier to run, so security teams use them to keep tabs on a system. Penetration tests require more resources but can help security teams better understand their network flaws.

Used together, vulnerability scans and pen tests can make vulnerability management more effective. For example, vulnerability scans give pen testers a useful starting point. Meanwhile, penetration tests can add more context to scan results by uncovering false positives, identifying root causes and exploring how cybercriminals can chain vulnerabilities together in more complex attacks.

Related solutions
Enterprise security solutions

Transform your security program with solutions from the largest enterprise security provider.

Explore cybersecurity solutions
Cybersecurity services

Transform your business and manage risk with cybersecurity consulting, cloud and managed security services.

 

    Explore cybersecurity services
    Artificial intelligence (AI) cybersecurity

    Improve the speed, accuracy and productivity of security teams with AI-powered cybersecurity solutions.

     

    Explore AI cybersecurity
    Take the next step

    Whether you need data security, endpoint management or identity and access management (IAM) solutions, our experts are ready to work with you to achieve a strong security posture. Transform your business and manage risk with a global industry leader in cybersecurity consulting, cloud and managed security services.

    Explore cybersecurity solutions Discover cybersecurity services