Summary

Vulnerability scans

Vulnerability scans are automated tools that identify and classify vulnerabilities in computers, networks and applications by matching them to already known system failures. For example, these could be problems that lacked patches and outdated protocols, certificates and services.

What usually separates different types of vulnerability scans from each other is in most cases the analysis procedure. Many suppliers use a client-based model where a client collects information which is then sent to some form of cloud-based analysis platform to then obtain analysis results, etc. in return.

With Secure IT Appliance we can either use a client-based solution or a standalone solution where the entire analysis process is managed locally at each customer and no information leaves the customer’s network.

There are two levels of vulnerability scanning: authenticated and unauthenticated.

Authenticated scans are granted the same access as privileged users. It allows the scanner to dig deeper into a network and detect threats from the inside, such as weak passwords, malicious software, installed programs and configuration problems. The method can simulate what a system user has access to and what damage it can potentially cause. This can only be run internally.

Unauthorized scans are not granted privileged access, but instead scans the systems that are available both internally and, in combination with penetration tests, from the outside. The analysis is performed from a separate system that has no membership or privileges in the customer’s network. The method produces a result with a fewer number of points but with higher relevance regarding system or environment vulnerabilities, and is mainly used by attackers or security analysts who without prior knowledge try to find vulnerable systems and information or external paths.

In order to create and maintain a high level of security in your network environment, regular vulnerability screening of sensitive networks is necessary, preferably quarterly or more frequently. In addition, new or changed systems and equipment should always be scanned before being put into sharp operation.

Vulnerability scans should be performed by external vendors who may be certified / specialized in various areas, such as the payment card industry (PCI) to scan payment card networks. Among the benefits of using external vendors of vulnerability scans are the need for knowledge and specialization as well as the independence that leads to a completely impartial assessment of potential risks and vulnerabilities.

All of our tests are based on a large library of vulnerabilities and we use actual vulnerabilities, which are active in the outside world right now, in a controlled way in order to evaluate different protection solutions in the safest possible way.

Our security tests are based on a large library of commercial vulnerabilities that emulate different attack vectors and scenarios in a realistic way. There are also opportunities to customize vulnerabilities and attack vectors for applications and services that are self-developed.

The library contains vulnerabilities that attack network resources such as:

  • Applications: this may include web browsers, e-mail clients, chat applications, media players, business applications, productivity applications and development tools, etc.
  • Protection solutions: this may include antivirus, anti-phishing, anti-malware, anti-spam as well as intrusion detection and intrusion protection systems.
  • Operating systems and services: this may include Windows, Mac, Linux, OS400 and more.

This library is developed by security experts around the world. The vulnerabilities are tested and updated daily so that it is always possible to test and protect against the latest vulnerabilities, including Zero-Day attacks.

  • Analyzes the customer’s network up to once a day (depending on the size of the network).
  • The solution / analysis is run on-site in the network by an appliance (or virtual) “self-contained” without any access to AD, servers or systems, etc. on the appliance machine and without the need for any client / agent to be installed on the systems to be monitored.
  • Updated with new vulnerabilities daily.
  • Easy to read reports with action suggestions.
  • The technical part of PCI DSS is included.
  • Secure IT Appliance delivers measurable risks / vulnerabilities.
  • Heavily simplified handling! No complicated settings before everything works as it should, but just take out reports (TOP10) and start working on actions!
  • A massive database of different types of risks and threats that is also supplemented by combined threats and vulnerabilities based on chained-exploits and proxy / pivoting attacks.
  • The solution is based on the fact that the appliance machine runs mapping, information collection, matching against threat database, filtering false-positives and report generation completely internally without any information leaving the customer’s network.

Secure IT can be run either manually or scheduled via an appliance or probe. No privileges via connection to domain / AD should exist. In addition, Secure IT works completely clientless and does not send any of the customer’s information for analysis / processing in the cloud if you run as appliance but only if you run as a probe.

A brief overview of the flow in a typical use case for Secure IT is described below.

When Secure IT runs, it follows these steps:

  • Mapping the environment to be scanned which identifies new devices.
  • Information gathering around the identified environment as well as reconciliation with previous runs.
  • Retrieving updated signature data and scanning profiles for the identified environment.
  • Vulnerability analysis and gathering of information about potential risks and vulnerabilities.
  • Filtering out false positives and other information that is not relevant to the current environment.
  • Checking the occurrence or risk of Chained-Exploits, Pivoting-Exploits and Proxy-Exploits.
  • Tests of remaining potential risks as well as vulnerabilities that do not disturb / affect the environment are carried out.
  • Matching remaining potential risks as well as vulnerabilities to real-time data to make accurate grading.
  • Grading of identified risks and vulnerabilities and generation of reports and safety indices.

If you compare with a similar product from other suppliers, these do NOT perform the following steps:

  • Checking the occurrence or risk of Chained-Exploits, Pivoting-Exploits and Proxy-Exploits.
  • Tests of remaining potential risks as well as vulnerabilities that do not disturb / affect the environment are carried out.
  • Matching remaining potential risks as well as vulnerabilities to real-time data to make accurate grading.

In addition, products from other suppliers are integrated into smaller databases, while using a much larger library of tests and the market’s recognized best product for post-checking and validation of risks and vulnerabilities!

Vulnerability Scanning vs Penetration Test

The recommendation is to run both vulnerability scans and penetration tests to ensure not only the risks and threats to systems and information in the customer’s network, but also the various attack vectors that could potentially be exploited.

The table below briefly describes the difference between vulnerability scans and penetration tests:

 Vulnerability ScanningPenetration Test
FrequencyAt least quarterly but preferably more often and in case of significant changes in networks and equipment.Once or twice a year as well as significant changes in networks and equipment.
ReportsProvides a comprehensive picture of the vulnerabilities that exist and what has changed since the last report.Specifies in detail the information that is at risk and the security measures that should be taken.
FocusLists known vulnerabilities that can be exploited. Also has access to various types of 0-day threats, chained-exploits, proxy / pivoting-exploits and some real-time information for grading.Identifies both known, unknown and exploitable vulnerabilities in specific objects and / or business processes.
ImplementationShould be performed by independent external suppliers. Requires expertise in the field.Should be performed by independent external suppliers. Requires high expertise in the field.
ValueProactivity! Detects all the different conditions that can jeopardize the security of various information and equipment.Identifies and reduces the risk of vulnerabilities entering external attack vectors.