Vulnerability Scanning Overview – CompTIA Security+ SY0-401: 3.7

How many vulnerabilities do your network devices have? In this video, you’ll learn how to use a vulnerability scanner to find the susceptible areas in your network.

<< Previous Video: Detection vs. PreventionNext: Assessment Tools >>


If you’re looking to find the vulnerabilities that might be on your network, a vulnerability scanner is a great way to go about automating that process. One of the challenges we have, of course, is that there are vulnerabilities identified practically every day, very often multiple vulnerabilities a day. In the United States, there is a national vulnerability database.

If you go to nvd.nist.gov, you’ll be able to get an idea of some of the vulnerabilities that people are identifying. If you go through this list, you’ll notice there’s vulnerabilities for operating systems, there’s vulnerabilities for applications. Certain services have vulnerabilities associated with them. And we’re discovering new ones all the time.

So think about all of the systems you might have in an enterprise environment. There are many different operating systems. There are many different applications. It becomes now very complex to be able to keep up with all of this and understand what’s going on. Fortunately, these vulnerability scanners are designed to keep up with all of these latest vulnerabilities.

They’re able to understand how susceptible your systems might be to some of these vulnerabilities. And they can really go through and query a system, in some cases even try the vulnerability itself to see if it can take advantage of a system. So just turning on a vulnerability scanner– probably not the smartest thing to do.

I’ve been in environments where somebody turned on a vulnerability scanner not recognizing all of the different and varied systems and ended up bringing a number of very critical systems down. So be careful when you start going through and proactively scanning all these devices. You don’t want to create more problems than what you’re trying to solve.

Not all scanners are alike. Certain scanners are very good for general use. Some are focused on applications. Others are focused on certain operating systems. You’ll need to look at all of the different scanners that are available to you and see which one fits best with what you’re trying to do in your environment.

A good example of some very common scanners are things like Nessus, Nikto, Nmap. You’ve got SATAN, and SAINT, and SARA, which are very similar. They were built from similar systems there. And it really just depends on the need you have to be able to scan and identify these vulnerabilities in your environment.

I’m running a vulnerability scanner on my network. I’m running the home version of Nessus, which gives me the ability to run and look at all the different systems that are on my local network. I have quite a few systems on my local network. You can see them listed here. It has identified the total number of vulnerabilities that it has identified in these systems.

Some of them are very high vulnerabilities. Some of them are medium category. And others have a severity level of low. And you can also see how many ports are open on those devices. So not only has this device identified vulnerabilities that happen to be known, it’s also identified opportunities for people to be able to connect to these devices.

Let’s look at one of my devices. This is the device I’m running right here. And it’s showing me that I have indeed some vulnerabilities– a high level critical vulnerability that shows a vulnerability in Microsoft Office. So just by running this scanner on my network, it went through and found every system that was on my network. It automatically went through and ran a series of tests on all of these systems and created a report that I can now reference to understand what are some of the vulnerabilities I should be aware of in my environment.

One thing you do have to watch out for with these vulnerability scanners is the scanners aren’t perfect. They don’t really have context as to the types of systems that you have. They really start with a pretty blank slate and they build as much information as possible there. But they can be a little bit fickle. They can not quite exactly hone in on specific problems.

So you do have to go back over the results and make sure that the vulnerability scanner really is giving you correct information. For instance, if you are in an environment where you have network level devices– you might have packet filters in place, you might have firewalls in place– you may not have the ability to go from one side of your network to the other without having a system in between to watch what’s going on.

So of course, your vulnerability scanner will be affected by this. If you can’t reach a device or you’re filtered from going to that device, then obviously I can’t check it for certain types of vulnerabilities. So that’s something to keep in mind. You also have the devices themselves that might have their own personal firewalls.

There might be different application versions running on systems. Maybe the operating system itself doesn’t lend itself to being able to do a very good vulnerability scan. And sometimes you can adjust your vulnerability scanner with specific logins that might give you extra access to devices. And if that’s not enabled and turned on, it may not be able to get to a device and really do a thorough vulnerability scan of it.

So make sure that you look through the results. And occasionally, you will find some very surprising results, things you didn’t know about your systems out there in the field, things that you thought were enabled it turns out were not enabled. Security systems you thought were in place perhaps were not in place. So make sure you go through your results and be able to identify when some of these surprising results might be.

That way, you can go and resolve those issues on those systems or on those networks. One of the surprising things on my network was a Windows system that I was not expecting to see with a vulnerability of high listed here– my 192.168.1.19. If I drill down into that and look at the vulnerabilities associated with it, it says this is a Microsoft Windows SMB shares unprivileged access.

And it’s certainly set to a severity of high. That doesn’t sound very good. If I drill down into it further, it says it is possible to access this network share. And it says it’s able to do it without any specific kinds of rights. And in fact, it said it was able to get in and read all of this information from the hard drive.

The entire C drive is readable and writable across the network. And it’s probably a system I had my lab. I configured it a certain way and completely forgot that I’d set it up for such an open type of access. But by running this vulnerability scanner, it didn’t find a known vulnerability. It found a known misconfiguration on that device. And it informed me that if you’d like to make this more secure, you might want to think of setting some permissions on this.

That’s the value we have by running these automated vulnerability scanners on my network– being able to have it go through and find every system for a myriad of different problems, vulnerabilities, and configuration issues can really help secure your network even further.