Common Vulnerability Scanning
A typical vulnerability scanning system identifies vulnerabilities in software, operating systems, and file shares. It can run without remote access and can identify vulnerable versions of software. These scans are performed by sending packets on open ports. Depending on the scanner used, they can also report on untrusted or authenticated versions of the system. These systems are available in a wide range of configurations and cost varying amounts. However, they can save you time and money over the long term.
The types of vulnerabilities that can be detected vary greatly. Many systems have a large number of vulnerabilities, and some do not detect some of them. Moreover, different vulnerability scanning offer different features and pricing models. Some of them can be scheduled on a regular basis to scan a large number of systems or only a few of them. Other features that may be important for your organization include automatic system scanning and compliance requirements.
Another type of vulnerability scanning is on-premises. Here, organisations host the vulnerability scanning product on their own infrastructure. This could be a virtual machine or a physical appliance. The advantage of this is that you can perform the scans in areas with no external connectivity, while maintaining full control over sensitive data. However, this option comes with a price: on-premises vulnerability scanning requires a considerable amount of initial configuration and ongoing maintenance.
What is Common Vulnerability Scanning System?
While most vulnerability scanning systems are capable of detecting known vulnerabilities, they can’t detect zero-day vulnerabilities. While they can detect vulnerabilities in software and operating systems, they cannot identify zero-day flaws, which are not publicly known. Hence, there’s no way of knowing whether your company’s application has a zero-day vulnerability. This means that your organization may be vulnerable to attacks targeting your data.
The best solution for assessing the security of your IT estate is to use a comprehensive scanner. A more comprehensive vulnerability scanning solution gives you full visibility of the risk. However, it’s not feasible or affordable to scan everything. Instead, prioritise assets that are accessible to the internet, which provide business-critical services, or are sensitive to data such as databases. Then, create a list of assets that can’t be scanned, and incorporate this information into your security model.
Besides performing external network vulnerability scans, you can also conduct internal network vulnerability scans. These systems assess the security of network services. These external scanners look for vulnerabilities in a network segment and outside perimeter. Internal vulnerability scans also help you identify vulnerabilities that hackers can exploit. For example, an outdated Firefox browser on a company laptop could be vulnerable to a malware attack if it visits a malicious website. The same is true for devices and network segments on private networks.
Another great vulnerability scanning system is Tripwire IP360. Tripwire IP360 can scan your entire environment and even uncover assets you didn’t know were there. It uses both agent-based and agentless vulnerability scanning. Pen testing is another way to enhance your vulnerability assessment. Some scanners find thousands of vulnerabilities and prioritize remediation based on a CVSS (Common Vulnerabilities and Exposures) score, which isn’t appropriate for your organization’s set-up.
