One of the most frequently used terms in cybersecurity is "Scanning." However, this term can encompass various meanings within the cybersecurity domain. The potential for confusion arises when different individuals interpret "Scanning" differently in their mental contexts, leading to communication issues around vulnerability management programs.
To alleviate this confusion, when I engage in discussions or provide training on scanning, I aim to simplify the concept by categorizing scanning into three primary high-level types:
System Scanning
Code Scanning
Web Application Scanning
This breakdown helps establish a clear framework for understanding and discussing scanning activities in cybersecurity.
System scanning
In my explanation of system scanning, I further categorize it into three sub-types:
Discover/Enumeration (While slightly different, I group them together for simplicity)
Vulnerability scanning
Compliance scanning
These sub-types help to clarify the various aspects of system scanning. Common industry tools used for system scanning include:
Adding to the potential for confusion, people often refer to a specific type of cybersecurity scanning by only mentioning the tool or system name, such as the "The scanner" or "Nessus."
Host Discover/Enumeration Scanning
Discovery scanning involves identifying the systems present on your network, while enumeration scanning aims to determine the system being scanned is. In the context of discovery scanning, the scanner is configured to quickly examine a broad range of network addresses within the organization to see what systems respond. By comparing the list of systems that respond to known, existing systems, this method enables the detection of new systems introduced to the network. Discovery scanning plays a fundamental role in providing "source-of-truth" data to asset management systems, which is crucial for effective organizational asset management.
Enumeration scans build upon discovery scans by attempting to identify the system responding by the nature of the system being scanned response to the scan. This identification process involves examining various factors, such as the connectivity banners they expose and their responses to connections. However, it's important to note that remote system enumeration isn't always precise, and scanners often include a confidence rating to indicate the accuracy of the system's identification provided by the enumeration.
Another important cybersecurity tool to know related to Discover/Enumeration scanning is called Nmap (Network Mapper), which can be found at https://nmap.org/. An example of a basic Nmap scan is provided below:
nmap -p <ports> <ip address or IP address range>
Nmap is an open-source and freely available tool that comes with comprehensive documentation and a wide range of use cases. This makes it an excellent, cost-effective choice for performing discovery and enumeration scanning tasks.
Vulnerability scanning
In simplified terms, vulnerability scanning can be likened to searching for software or system flaws that can be exploited. A common example of such vulnerabilities is buffer overflows. The diagram illustrates the overall process, from the initial discovery of a vulnerability to its identification within your systems using a vulnerability scanning system.
1. A vulnerability is discovered within a system or software, often by a hacker, researcher, or even the organization responsible for developing the software.
2. The discovered vulnerability is registered with CVE (Common Vulnerabilities & Exposures) tracking, which is managed by Mitre and can be accessed at https://www.cve.org.
Each vulnerability is evaluated against factors in the CVSS standard and assigned a "Vector String".
/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The vector string is used to assess the severity of a vulnerability on a scale ranging from 1 to 10, with 10 indicating the most severe vulnerability. This 10-point scale is further categorized into levels such as low, medium, high, and critical (for instance, ratings of 8-10 or 9-10 are considered critical). The current specification for this assessment is CVSSv3.1, and you can find more details about it at the following link: https://www.first.org/cvss/specification-document
For example, in the Vector String /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV stands for "Attack Vector" which has the following vulnerability evaluations:
AV = N "Network"
AV = A "Adjacent"
AV = L "Local"
AV = P "Physical"
Vulnerabilities that are exploitable over the Network (N) are the most exploitable so an AV:N would contribute a higher numeric component value in the overall 1 - 10 scale.
The vulnerability is then assigned a CVE ID that starts with the year followed by a number.
CVE-2022-22954
3. Security scanning vendors update their scanning software to incorporate checks for these CVEs. Some scanning vendors refer to a check for a specific vulnerability as a Plugin ID.
CVE-2022-22954 = Plugin ID ###,###
4. Organizations then utilize this updated scanning software to examine their systems within their environment to identify any vulnerabilities they might possess.
Credentialed vulnerability scans are considered the gold standard for vulnerability scanning. This is because if the scanner cannot log-in to the system being scanned, it cannot accurately identify all the software packages the system is running, thus leading to incomplete vulnerability assessment.
It's important to note that not all systems are compatible with scanning, as vulnerability scanners are not equipped to identify all systems.
Keeping your scanner plugin database up to date is crucial. If it's not, your scans may not detect the most current vulnerabilities. Various security controls emphasize the importance of maintaining up-to-date scanning tools.
The CVSS vulnerability scoring system has faced challenges in effectively prioritizing vulnerabilities. To address this, multiple efforts are underway to improve vulnerability prioritization. Some notable examples include:
CISA's "Known Exploited Vulnerability" (KEV) catalog, available at https://www.cisa.gov/known-exploited-vulnerabilities-catalog.
Scanning vendor priority rankings, such as Nessus's "Vulnerability Priority Rating" (VPR).
The ongoing development of the CVSSv4 specification, which aims to enhance the accuracy and relevance of CVSS scores in reflecting the true nature of vulnerabilities.
Compliance scanning
Compliance scans and vulnerability scans are often confused, but they serve distinct purposes. Compliance scans focus on assessing whether systems adhere to specific secure settings rather than identifying vulnerabilities. These secure settings are determined by security organizations, such as the Center for Internet Security (CIS) https://www.cisecurity.org/ and the US Government's "Secure Technical Implementation Guides" (STIG) https://public.cyber.mil/stigs/ .
1. A security organization (CIS, STIG, etc) works with security users/experts in a specific system to determine secure settings for that system. These are sometimes referred to as security benchmarks for that system.
For instance, a secure setting may involve restricting root logon via SSH. These security guides not only define these secure settings but also provide instructions on how to configure them and offer commands for verifying that the settings are correctly configured. Compliance scans are designed to check whether systems meet these recommended secure configurations.
/etc/ssh/sshd_config
PermitRootLogon no
The security guides provide a comprehensive list of secure configuration items specific to various systems, like different Linux versions or Windows versions. These guides are a valuable resource not only for ensuring the security of your systems but also for learning how to secure them effectively, and the best part is that most are freely available.
2a. The task of configuring systems to adhere to the secure settings outlined in the security configuration guide is not the responsibility of the compliance scanner. These secure configurations can be implemented using various methods, including:
Secure configuration scripts
Configuration automation tools like Ansible, Puppet etc that implement secure configuration commands and/or scripts.
deploying the system with a pre-configured secure configuration base image
In some instances, manual configuration :-(
It's crucial to ensure that systems are appropriately configured to meet these secure settings, but this process is separate from compliance scanning which is the verification of the secure configuration settings.
2b. Automated checks to verify that systems conform to the secure configurations must be created. Since scanners typically have access to the systems for vulnerability assessment, many scanning vendors have incorporated the capability to perform compliance scans as well. These scans are conducted using audit files, which contain the commands required to verify secure configurations. The scanner then automates these checks and provides reports on the results. This allows organizations to ensure that their systems align with the specified secure settings.
3. The organization conducts compliance scans on a scheduled basis to identify, analyze, and address compliance scan failures with the goal of enhancing security. There are a couple of key points to consider regarding compliance scanning:
Not all system types have compliance scans available. Developing secure configuration guides requires time and effort, and in some cases, there may not be a published secure standard (e.g., CIS, STIG) for a particular system type. Additionally, building automated checks for security configuration guides can be time-consuming, resulting in cases where a secure guide exists but lacks an automated check.
Automated checks for secure configurations are not flawless and may generate false positives. For example, some checks use basic regex patterns to search for keywords and may not have the intelligence to determine whether a software component with an insecure configuration is enabled on your system. Other compliance checks are system-specific, and some may require manual verification.
Some scanning systems categorize compliance failures within their framework for vulnerabilities. For instance, a "Compliance Check Failure" may be rated as "High," a "Compliance Check Pass" as "Informational," and a "Manual Check Needed" as "Medium." It's important to note that a compliance setting indicates whether a configuration setting passes or fails, and it is not the same as assessing system vulnerabilities.
Connecting compliance scanning back to CIS controls, and NIST-800-53 controls
This diagram connects the "Secure Configurations" controls from control frameworks like CIS and NIST 800-53. Secure configurations are applied to systems and compliance scanning is used to verify system secure configuration settings.
Combination scan
Another type of scan is known as combination scans. Combination scans involve the execution of multiple scan types within the same scanning session, allowing the scanner to perform various checks on the system being scanned. For instance, in a single scan, the scanner may carry out host discovery/enumeration, vulnerability assessment, and compliance checks on the target system. Conducting scans through combination scans has both advantages and disadvantages compared to running separate scans for discovery/enumeration, vulnerabilities, and compliance checks.
Comments