The output of a vulnerability scan can identify significant security vulnerabilities. In this video, you’ll learn about vulnerability scans, reading through the results, and managing false positives and false negatives.
Vulnerability scanners are an important part of maintaining the safety and security of the devices on your network. This allows you to scan these devices to see if there are any known vulnerabilities that you may be able to close or remove prior to an attacker taking advantage of those vulnerabilities.
The scanner looks at a huge amount of information. And although it seems like it’s looking at almost everything on the system it’s really looking at very specific signatures for known vulnerabilities. These vulnerabilities can be cross-referenced online. So you can see exactly what is associated with that vulnerability. And in many cases, how to resolve or remove that vulnerability.
There are many places to find this information. One of the most popular is the National Vulnerability Database at nvd.nist.gov. And of course, we can always find our Microsoft Security Bulletins on the microsoft.com website. The information we get from a vulnerability scanner can sometimes be very obvious and very clear that a vulnerability exists. But sometimes a vulnerability scanner will simply give us an idea that perhaps a vulnerability may be an issue on that device.
So you may have to manually connect to this device do some additional research and determine if this system is really vulnerable. A vulnerability scan can give you a lot of information on the status of those devices. One is that it may tell you that it has a lack of security controls. If the firewall has been configured or turned off a vulnerability scan can inform you of that problem. Or if there’s no antivirus and no anti-spyware on the system you will see that listed in the vulnerabilities associated with that device.
A vulnerability scan might also tell us if a user’s created an open network share. This would be accessed to files on the system that don’t require any type of authentication and that would be a significant vulnerability. But one of the things you will find with these vulnerability scans is that it is able to identify some very specific vulnerabilities that exist. And as we update the database in the vulnerability scanner we can be notified of new vulnerabilities as they are discovered.
This is a vulnerability scan that I ran on a system that has a number of different vulnerabilities by default. This is intentionally a very vulnerable system. The scan took only two minutes to run. And it identified 39 vulnerabilities on the system. Some of those vulnerabilities are critical vulnerabilities, others are mixed, some are medium, there’s one low vulnerability. And a large number of informational vulnerabilities on the system.
If we scroll to the top we’ll look at the critical vulnerabilities. And we’ll look at the second one on this list which is Unix operating system unsupported version detection. And it found that this particular system is running Ubuntu 8.04, which is a very old version of that operating system. And it even tells us that there’s no support and no new security patches. So this may not be a good operating system to run on your network.
If we go back to our list of vulnerabilities. One of the medium category vulnerabilities is that the NFL shares on this device or world readable. Which means there are no access restrictions. Anyone who is able to see the system is able to connect to that share and access the files on the storage device of this machine. And we’ll do one more we’ll look at a medium vulnerability of an unencrypted telnet server.
Telnet servers obviously communicate in the clear. And it’s telling us that this device is running a telnet server over an unencrypted channel. In fact, it gives us the banner it received when it connected to this device. And you can see that this is an intentionally vulnerable operating system called metastable voidable two.
If this was a production system it wouldn’t be running mate exploitable. But it would be providing information about the banner on the system. And then we can take the proper steps to disable this telnet server on this device.
One challenge when working with vulnerability scans is occasionally the information we receive in those reports won’t be entirely accurate. For example, we may receive false positives in that report telling us that a vulnerability exists. Here’s the type of vulnerability that it happens to be. But then when we research it and have a look at the system, we find that system isn’t vulnerable at all.
The vulnerability scanner believes that a vulnerability exists. But now that we’ve researched it we can see that there is no vulnerability on the system it was instead a false positive. False positives are problems that don’t exist at all, they were miscategorized or misidentified as a vulnerability.
This is different to something that is a low severity vulnerability. Like the low severity vulnerabilities on our report where the problems really did exist. But the vulnerability scanner believes that these particular problems may be of a lower priority than perhaps a medium critical or high vulnerability.
A vulnerability we did not see on our report was a false negative. That’s because false negatives don’t appear on any of your reports. A false negative is when a vulnerability exists on that device but the vulnerability scan did not identify it. And therefore was not able to alert us that a problem might really exist on that system.
A false negative can be a significant concern. A vulnerability exists on the system but our scanner never identified it. And therefore we may have no idea that our system is susceptible.
One of the things you can do to minimize the number of false positives or false negatives is to make sure you have the latest signatures for your scanner. This is going to provide the most accurate set of signatures and the latest set of signatures. So that things like a false negative can suddenly be identified. And things like false positives can be properly not identified by your system.
And there may be aspects of your network or the configurations that you’re running on your systems that might cause false positives and false negatives. So you want to work with your vulnerability scanner manufacturer to make sure that you’re running the right configuration with the right signatures.