Certain devices are considered 'fragile' where aggressive vulnerability scanning could have a risk of impacting the availability of the system. Examples of device types that could be at risk when vulnerability scanning are 'Operational Technology' (OT) / 'Industrial Control Systems' (ICS) systems.
Another example is printers. Some printers are known to continually print out pages when vulnerability scanned.
Most vulnerability scanners come with a setting to account for these fragile devices. You typically select the 'Fragile' scanning knob in the policy you create for scanning these 'Fragile systems'.
The scans will start by enumerating the system, most commonly by determining what ports the system has open. When fragile scanning is enabled, if an ICS/OT common port (Siemans, Modbus, BACnet, etc) is detected the scanner does not try to do further scanning such as logging into the system.
Gaps in vulnerability data for these systems
This article serves as a brief introduction to the concept of 'Fragile Scanning' in common vulnerability scanners, prompting the question: 'How can we effectively scan these fragile systems?' One approach to address this challenge is called 'Passive Scanning.' Unlike traditional scanning, passive scanning involves monitoring network traffic by sniffing it through a tap or SPAN/Mirror switch port. Its purpose is to identify systems communicating on the network and, in some cases, deduce their characteristics based on the observed network traffic. Based on this, it becomes evident that passive scanning isn't truly a scanning process; instead, it a fancy name for network traffic analysis.
Passive scanning serves as a valuable resource for asset inventory systems and is excellent for identifying communication between systems. However, it does come with certain limitations. In the context of asset inventory, these limitations manifest as missed traffic collection, often referred to as network collection blind spots, and systems that remain quiet on the network are not seen, because they don't generate much traffic on the network.
When it comes to vulnerability data, these limitations are consistent with the missed network blind spots and silent devices. Additionally, passive scanning most often cannot provide information on system software versions and configurations based on network traffic alone.
To address these limitations, a scanning technique known as 'Selective Probing' is employed. This method doesn't involve conducting a comprehensive scan on these systems. Instead, it retrieves data from these systems using widely used management instrumentation protocols.
The most effective practices typically involve a blend of 'Passive Scanning' (which focuses on network traffic analysis for asset discovery) and 'Selective Probing' (used to gather vulnerability data on assets, such as software versions).
Comments