What is vulnerability scanning?

In most organizations today, vulnerability scans are fully automated. Specialized vulnerability scanning tools find and flag flaws for the security team to review.

Vulnerability exploitation is one of the most common cyberattack vectors, according to IBM's X-Force® Threat Intelligence Index. Vulnerability scanning helps organizations catch and close security weaknesses before cybercriminals can weaponize them. For this reason, the Center for Internet Security (CIS) considers continuous vulnerability management, including automated vulnerability scanning, a critical cybersecurity practice.

A security vulnerability is any weakness in the structure, function or implementation of an IT asset or network. Hackers or other threat actors can exploit this weakness to gain unauthorized access and cause harm to the network, users or the business. Common vulnerabilities include:

• Coding flaws, such as web apps that are susceptible to cross-site scripting, SQL injection and other injection attacks because of how they handle user inputs.
  
  
• Unprotected open ports in servers, laptops and other endpoints, which hackers could use to spread malware.
  
  
• Misconfigurations, such as a cloud storage bucket with inappropriate access permissions that expose sensitive data to the public internet.
  
  
• Missing patches, weak passwords or other deficiencies in cybersecurity hygiene.
  

Thousands of new vulnerabilities are discovered every month. Two United States government agencies maintain searchable catalogs of known security vulnerabilities, the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).

Unfortunately, while vulnerabilities are thoroughly documented once they are discovered, hackers and other threat actors often find them first, allowing them to catch organizations by surprise.

To adopt a more proactive security posture in the face of these cyberthreats, IT teams implement vulnerability management programs. These programs follow a continuous process to identify and resolve security risks before hackers can exploit them. Vulnerability scans are typically the first step in the vulnerability management process, uncovering the security weaknesses that IT and security teams need to address.

Many security teams also use vulnerability scans to

• Validate security measures and controls after putting new controls in place, teams often run another scan. This scan confirms if the identified vulnerabilities are fixed. It also confirms that the remediation efforts didn't introduce any new problems.
   

• Maintain regulatory compliance, some regulations explicitly require vulnerability scans. For example, the Payment Card Industry Data Security Standard (PCI-DSS) mandates that organizations that handle cardholder data undergo quarterly scans.

Between cloud and on-premises apps, mobile and IoT devices, laptops and other traditional endpoints, modern enterprise networks contain too many assets for manual vulnerability scans. Instead, security teams use vulnerability scanners to conduct automated scans on a recurring basis.

To find potential vulnerabilities, scanners first collect information on IT assets. Some scanners use agents installed on endpoints to gather data on devices and the software running on them. Other scanners examine systems from the outside, probing open ports to uncover details about device configurations and active services. Some scanners do more dynamic tests, like trying to log in to a device that uses default credentials.

After scanning the assets, the scanner compares them to a vulnerability database. This database records common vulnerabilities and exposures (CVEs) for various hardware and software versions. Some scanners rely on public sources like the NIST and CISA databases while others use proprietary databases.

The scanner checks whether each asset shows any signs of the flaws associated with it. For example, it looks for issues like a remote desktop protocol bug in an operating system. This bug could allow hackers to take control of the device. Scanners might also check an asset's configurations against a list of best security practices, like ensuring appropriately strict authentication criteria are in place for a sensitive database.

Next, the scanner compiles a report on the identified vulnerabilities for the security team to review. The most basic reports simply list every security issue that needs to be addressed. Some scanners can provide detailed explanations and compare scan results with previous scans to track vulnerability management over time.

More advanced scanners also prioritize vulnerabilities based on criticality. Scanners can use open source threat intelligence, like Common Vulnerability Scoring System (CVSS) scores to judge the criticality of a flaw. Alternatively, they can use more complex algorithms that consider the flaw in the organization's unique context. These scanners might also recommend remediation and mitigation methods for each flaw.

A network's security risks change as new assets are added and new vulnerabilities are discovered in the wild. Yet, each vulnerability scan can exclusively identify a moment in time. To keep up with the evolving cyberthreat landscape, organizations conduct scans regularly.

Most vulnerability scans don't look at every network asset in one go because it is resource- and time-intensive. Rather, security teams often group assets according to criticality and scan them in batches. The most critical assets might be scanned weekly or monthly, whereas less critical assets can be scanned quarterly or annually.

Security teams can also run scans whenever major network changes occur, like adding new web servers or creating a new sensitive database.

Some advanced vulnerability scanners offer continuous scanning. These tools monitor assets in real-time and flag new vulnerabilities when they arise. However, continuous scanning isn't consistently feasible or desirable. More intensive vulnerability scans can interfere with network performance, so some IT teams might prefer to hold periodic scans instead.

There are many different types of scanners, and security teams often use a combination of tools to get a comprehensive picture of network vulnerabilities.

Some scanners focus on particular kinds of assets. For example, cloud scanners focus on cloud services, while web application scanning tools search for flaws in web apps.

Scanners can be installed locally or delivered as software-as-a-service (SaaS) apps. Both open source vulnerability scanners and paid tools are common. Some organizations outsource vulnerability scanning entirely to third-party service providers.

While vulnerability scanners are available as stand-alone solutions, vendors increasingly offer them as part of holistic vulnerability management suites. These tools combine multiple kinds of scanners with attack surface management, asset management, patch management and other key functions in one solution.

Many scanners support integrations with other cybersecurity tools, like security information and event management systems (SIEMs) and endpoint detection and response (EDR) tools.

Security teams can run different types of scans depending on their needs. Some of the most common types of vulnerability scans include:

• External vulnerability scans look at the network from the outside. They focus on flaws in internet-facing assets like web apps and test perimeter controls like firewalls. These scans show how an external hacker could break into a network.
   

• Internal vulnerability scans look at vulnerabilities from inside the network. They shed light on what a hacker could do when they got in, including how they might move laterally and the sensitive information they could steal in a data breach.
   

• Authenticated scans, also called "credentialed scans," require the access privileges of an authorized user. Instead of just looking at an app from the outside, the scanner can see what a logged-in user would see. These scans illustrate what a hacker could do with a hijacked account or how an insider threat might cause damage.
   

• Unauthenticated scans, also called "noncredentialed scans," have no access permissions or privileges. They only see assets from an outsider's perspective. Security teams can run both internal and external unauthenticated scans.

While each type of scan has its own use cases, there is some overlap, and they can be combined to serve different purposes. For example, an authenticated internal scan would show an insider threat's perspective. In contrast, an unauthenticated internal scan would show what a rogue hacker would see whether they got past the network perimeter.

Vulnerability scanning and penetration testing are distinct but related forms of network security testing. While they have different functions, many security teams use them to complement one another.

Vulnerability scans are automated, high-level scans of assets. They find flaws and report them to the security team. Penetration testing, or pen testing, is a manual process. Pen testers use ethical hacking skills to not only find network vulnerabilities but also exploit them in simulated attacks.

Vulnerability scans are cheaper and easier to run, so security teams use them to keep tabs on a system. Penetration tests require more resources but can help security teams better understand their network flaws.

Used together, vulnerability scans and pen tests can make vulnerability management more effective. For example, vulnerability scans give pen testers a useful starting point. Meanwhile, penetration tests can add more context to scan results by uncovering false positives, identifying root causes and exploring how cybercriminals can chain vulnerabilities together in more complex attacks.