Published: 15 December 2023
Contributors: Matt Kosinski, Amber Forrest
Vulnerability scanning, also called “vulnerability assessment,” is the process of evaluating networks or IT assets for security vulnerabilities—flaws or weaknesses that external or internal threat actors can exploit. Vulnerability scanning is the first stage of the broader vulnerability management lifecycle.
In most organizations today, vulnerability scans are fully automated. They are carried out by specialized vulnerability scanning tools that find and flag flaws for the security team to review.
Vulnerability exploitation is the second most common cyberattack vector behind phishing, according to IBM's X-Force Threat Intelligence Index. Vulnerability scanning helps organizations catch and close security weaknesses before cybercriminals can weaponize them. For this reason, the Center for Internet Security (CIS) (link resides outside ibm.com) considers continuous vulnerability management, including automated vulnerability scanning, a critical cybersecurity practice.
Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.
Register for the X-Force Threat Intelligence Index
A security vulnerability is any weakness in the structure, function or implementation of an IT asset or network. Hackers or other threat actors can exploit this weakness to gain unauthorized access and cause harm to the network, users or the business. Common vulnerabilities include:
- Coding flaws, such as web apps that are susceptible to cross-site scripting, SQL injection and other injection attacks because of how they handle user inputs.
- Unprotected open ports in servers, laptops and other endpoints, which hackers could use to spread malware.
- Misconfigurations, such as a cloud storage bucket that exposes sensitive data to the public internet because it has inappropriate access permissions.
- Missing patches, weak passwords or other deficiencies in cybersecurity hygiene.
Thousands of new vulnerabilities are discovered every month. Two United States government agencies maintain searchable catalogs of known security vulnerabilities—the National Institute of Standards and Technologies, or NIST, and the Cybersecurity and Infrastructure Security Agency, or CISA (links reside outside ibm.com).
Unfortunately, while vulnerabilities are thoroughly documented once they are discovered, hackers and other threat actors often find them first, allowing them to catch organizations by surprise.
To adopt a more proactive security posture in the face of these cyberthreats, IT teams implement vulnerability management programs. These programs follow a continuous process to identify and resolve security risks before hackers can exploit them. Vulnerability scans are typically the first step in the vulnerability management process, uncovering the security weaknesses that IT and security teams need to address.
Many security teams also use vulnerability scans to
Validate security measures and controls—after putting new controls in place, teams often run another scan. This scan confirms if the identified vulnerabilities are fixed. It also confirms that the remediation efforts didn't introduce any new problems.
Maintain regulatory compliance—some regulations explicitly require vulnerability scans. For example, the Payment Card Industry Data Security Standard (PCI-DSS) mandates that organizations that handle cardholder data undergo quarterly scans (link resides outside ibm.com).
Between cloud and on-premises apps, mobile and IoT devices, laptops and other traditional endpoints, modern enterprise networks contain too many assets for manual vulnerability scans. Instead, security teams use vulnerability scanners to conduct automated scans on a recurring basis.
To find potential vulnerabilities, scanners first collect information on IT assets. Some scanners use agents installed on endpoints to gather data on devices and the software running on them. Other scanners examine systems from the outside, probing open ports to uncover details about device configurations and active services. Some scanners do more dynamic tests, like trying to log in to a device using default credentials.
After scanning the assets, the scanner compares them to a vulnerability database. This database records common vulnerabilities and exposures (CVEs) for various hardware and software versions. Some scanners rely on public sources like the NIST and CISA databases; others use proprietary databases.
The scanner checks whether each asset shows any signs of the flaws associated with it. For example, it looks for issues like a remote desktop protocol bug in an operating system. This bug could allow hackers to take control of the device. Scanners may also check an asset's configurations against a list of best security practices, like ensuring appropriately strict authentication criteria are in place for a sensitive database.
Next, the scanner compiles a report on the identified vulnerabilities for the security team to review. The most basic reports simply list every security issue that needs to be addressed. Some scanners may provide detailed explanations and compare scan results with previous scans to track vulnerability management over time.
More advanced scanners also prioritize vulnerabilities based on criticality. Scanners may use open source threat intelligence, like Common Vulnerability Scoring System (CVSS) scores, to judge the criticality of a flaw. Alternatively, they may use more complex algorithms that consider the flaw in the organization's unique context. These scanners may also recommend remediation and mitigation methods for each flaw.
A network's security risks change as new assets are added and new vulnerabilities are discovered in the wild. Yet, each vulnerability scan can only capture a moment in time. To keep up with the evolving cyberthreat landscape, organizations conduct scans regularly.
Most vulnerability scans don't look at every network asset in one go because it is resource- and time-intensive. Rather, security teams often group assets according to criticality and scan them in batches. The most critical assets may be scanned weekly or monthly, whereas less critical assets may be scanned quarterly or annually.
Security teams may also run scans whenever major network changes occur, like adding new web servers or creating a new sensitive database.
Some advanced vulnerability scanners offer continuous scanning. These tools monitor assets in real-time and flag new vulnerabilities when they arise. However, continuous scanning isn't always feasible or desirable. More intensive vulnerability scans can interfere with network performance, so some IT teams may prefer to hold periodic scans instead.
There are many different types of scanners, and security teams often use a combination of tools to get a comprehensive picture of network vulnerabilities.
Some scanners focus on particular kinds of assets. For example, cloud scanners focus on cloud services, while web application scanning tools search for flaws in web apps.
Scanners can be installed locally or delivered as software-as-a-service (SaaS) apps. Both open source vulnerability scanners and paid tools are common. Some organizations outsource vulnerability scanning entirely to third-party service providers.
While vulnerability scanners are available as stand-alone solutions, vendors increasingly offer them as part of holistic vulnerability management suites. These tools combine multiple kinds of scanners with attack surface management, asset management, patch management and other key functions in one solution.
Many scanners support integrations with other cybersecurity tools, like security information and event management systems (SIEMs) and endpoint detection and response (EDR) tools.
Security teams can run different types of scans depending on their needs. Some of the most common types of vulnerability scans include:
External vulnerability scans look at the network from the outside. They focus on flaws in internet-facing assets like web apps and test perimeter controls like firewalls. These scans show how an external hacker could break into a network.
Internal vulnerability scans look at vulnerabilities from inside the network. They shed light on what a hacker could do if they got in, including how they might move laterally and the sensitive information they could steal in a data breach.
Authenticated scans, also called "credentialed scans," require the access privileges of an authorized user. Instead of just looking at an app from the outside, the scanner can see what a logged-in user would see. These scans illustrate what a hacker could do with a hijacked account or how an insider threat might cause damage.
Unauthenticated scans, also called "non-credentialed scans," have no access permissions or privileges. They only see assets from an outsider's perspective. Security teams can run both internal and external unauthenticated scans.
While each type of scan has its own use cases, there is some overlap, and they can be combined to serve different purposes. For example, an authenticated internal scan would show an insider threat's perspective. In contrast, an unauthenticated internal scan would show what a rogue hacker would see if they got past the network perimeter.
Vulnerability scanning and penetration testing are distinct but related forms of network security testing. While they have different functions, many security teams use them to complement one another.
Vulnerability scans are automated, high-level scans of assets. They find flaws and report them to the security team. Penetration testing, or pen testing, is a manual process. Pen testers use ethical hacking skills to not only find network vulnerabilities but also exploit them in simulated attacks.
Vulnerability scans are cheaper and easier to run, so security teams use them to keep tabs on a system. Penetration tests require more resources but can help security teams better understand their network flaws.
Used together, vulnerability scans and pen tests can make vulnerability management more effective. For example, vulnerability scans give pen testers a useful starting point. Meanwhile, penetration tests can add more context to scan results by uncovering false positives, identifying root causes and exploring how cybercriminals can chain vulnerabilities together in more complex attacks.
Significantly improve detection rates and accelerate the time to detect and investigate threats.
Adopt a vulnerability management program that identifies, prioritizes and manages the remediation of flaws that could expose your most-critical assets.
Identify threats in minutes. Achieve greater efficiency and simplify operations with built-in workflows.
Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs. Learn from the experiences of more than 550 organizations that were hit by a data breach.
Read how threat hunting proactively identifies previously unknown or ongoing non-remediated threats within an organization's network.
Know the threat to beat the threat—get actionable insights that help you understand how threat actors are waging attacks, and how to proactively protect your organization.