CompTIA CYSA+ CS0-002 – Vulnerability Scanning Part 2

4. Scanner Types (OBJ 1.3)

Scanner types. In this lesson, we’re going to talk about the different ways you can configure your scanner. Now, different scanners have different capabilities. Some are going to be passive, some are going to be active, and some are going to be active with particular configurations that we’re going to talk about. Now, vulnerability scanners are going to operate in different modes and different configurations. And so it’s important for us to understand what those are. These include things like passive scanners, active scanners, credential scans, non credential scans, server based scans, and agent based scans. Now, when we talk about passive scanning, this is an enumeration or vulnerability scan that analyzes only intercepted network traffic rather than sending probes directly towards a target.

Now, we talked a little bit about passive reconnaissance before, and that’s what passive scanning really is. Passive scanning is going to have the least impact on your network and host, but it’s also the least likely to properly identify vulnerabilities. This is because you’re only sitting back and listening. You’re not actively asking for information. So if you’re on a network and you have passively tapped that network, you’re only going to get information as it crosses past that tap point. Additionally, you’re only going to get the information that they were sending. You can’t ask for additional details. And so that’s one of the reasons that passive scanning is the least likely to find identified vulnerabilities.

Now, cybersecurity analysts may use passive scanning, though if active scanning could provide a risk to the network or system, or if you’re doing threat hunting, this is another place that we use passive scanning a lot in, because while we’re on the network, we don’t want to give the bad guys the idea that we’re on the network watching them. So we will passively monitor them using passive scanning to identify vulnerabilities and malware that may be existing on the network. Now, we have passive scanning on one side, but on the other side of things, we have active scanning. And as a cybersecurity analyst, you’re probably going to do a lot of active scanning. This is something that is heavily used by us in the field. Now, active scanning is an enumeration or vulnerability scan that analyzes the response to probes sent to a target.

Now, previously, when we talked about Nmap, we talked about the fact that we would send out a probe like a sin packet and then we would get back the synac and we would analyze that and fingerprint it to identify things about that host that is a form of active scanning. And that is essentially what’s going to happen with our vulnerability scanners. Now, when we do that, these active scans do consume network bandwidth and processor resources. I’ve mentioned that a couple of times already in this section. So you have to be concerned with that as you start doing your scopes and your configurations to make sure you’re not going to do a denial of service against your own network. Now, the reason I bring this up is because I’ve seen this happen in the real world. One of my technicians got a little overzealous and he tried to scan a very large section of the network all at once.

Now, he put on like eight to ten different scanning engines at the same time, pointed from eight to ten of our different servers and did it across the network. And it essentially flooded our network with all this traffic and ended up making it so our users couldn’t actually do their job anymore. This is a big no no. So you want to make sure you are scoping your scans properly so you’re not causing issues for your end users. Now, active scanning can be configured many different ways, including Credentialed, non Credentialed, server based, and agent based. All of these are options you do have inside your vulnerability scanning tools. And depending on the tool you buy, it may be server based or agent based.

And we’ll talk more about that as we go through this section. Now, when I talk about a Credentialed scan, this is where the vulnerability scanner is given a user account to log on to the target systems or the host. So if I give it a username and password for the local administrator on a host, that’s a Credentialed scan. Now, as you can imagine, if you’re an administrator, you’re likely to see more things, right? And so if you’re doing a Credentialed scan, it’s more likely to find vulnerabilities and misconfigurations on a given target system than if you’re doing something that is non Credentialed. Now, when I talk about non Credentialed scans, this is when the vulnerability scanner sends test packets against a target without being able to log into that system or host.

Now, just because it can’t log in with the admin username and password doesn’t mean it doesn’t try to log in at all. Instead, these non Credentialed scans can try to probe the target with a default password for different services as well as for vulnerabilities within different applications. Now, again, because it’s a non Credentialed scan, you’re probably going to find a lot less vulnerabilities than if you do a Credentialed scan. Now, which type of scan should you choose? You’re probably thinking, I should always choose Credentialed. Well, not always, but a Credentialed scan will find more vulnerabilities than a non Credentialed scan. But there are some drawbacks to using Credentialed scans. For example, one of them is you have to have the admin username and password and give it to your scanning tool.

So if you’re worried about an insider threat, this is a big deal because now your scanning administrators also have access to all of your machines. There’s ways around this, and we’ll talk about that later on in this section as well. But just keep in mind right now that Credentialed scans will find more vulnerabilities than their non Credentialed counterparts. And that’s my real point here. Now, when you’re dealing with non Credentialed scans, these are going to be more appropriate when you’re doing an external assessment of the network perimeter. So if I’m trying to do one of those external scans as if I was an attacker, I’m not going to have your usernames and passwords. So I have to do a non Credentialed scan.

And that really shows more clearly what vulnerabilities you have open to an attacker at that very moment. And so that’s a great use for non Credentialed scans. Now, the other two things we need to talk about are server based scanning and agent based scanning. Let’s start with server based scanning. Server based scanning is a vulnerability scan that’s launched from one or more scanning servers against a target. So I have a scanning machine inside my network. I log into that scanning machine, whether it’s a server or a desktop. It’s still called a server in this case. And we would end up scanning our network with that. If you’re using something like Nessus, that is a server based scan for the most part. Now on the other hand, you have this thing called an agent based scan.

Now an agent based scan is where the vulnerability scanning is conducted using software applications that are installed locally on each target. So if I have 100 computers on my network, each of those hundred computers has this little agent installed on it and it performs the scan and then sends that information back. These agents on these machines are actually managed by an administration server that’s centralized and then the scans are run according to a set schedule. Once those scans are done, it’s going to take that information and send it back to that administration server where you can then analyze it. Now, what are some advantages of using agent based scanning? Well, agent based scanning is going to reduce the impact on the network.

Why? Because you’re not having to constantly go over the network every time you want to scan these 100 machines. Instead, all that scanning is done locally by the agent and then the finished report is able to be taken and sent back to the administration server. So it reduces a lot of the network bandwidth. Now, the second good thing about using an agent based scanner is that agent based scanning reduces the chances of service outages. If I have to rely on one server to do all my scanning and that one server goes down, then all my scanning capability goes away with it. And so using agent based scanning, I can still scan all 100 hosts even if the administration server was down. And once it comes back online, those hosts can then send me their data back. And so you’re not missing all of that data.

The third thing you have to think about is that agent based scanning is also better when you’re dealing with mobile or remote devices like laptops. Because often these devices are going to be offline. If I have my laptop, for instance, and I’m on travel and I’m in a hotel, I’m not connected to the corporate network so you can’t scan me. And if I go away for two or three weeks, that’s a lot of time that I’m not getting patches and updates and I’m starting to get more vulnerabilities. So if have an agent based scan, it can still go in there and identify the fact that those are vulnerabilities that need to be passionately remediated. And so using them on things that are offline more often, like mobile devices, using mobile device management or laptops is a good practice.

Now what are some disadvantages of using agent based scanning? Well, one of the disadvantages are that agents are limited to a particular operating system. So if you have a mixture of devices across your network like Linux and Mac and Windows, maybe you’ve got some iPhones and some Android, you’re not going to be able to have a single agent that works on all five of those operating systems. There’s just not one out there. So instead you’d have to have individual software for each one, which means that’s five times the effort for you to maintain and support. The second thing is that agent software could be compromised by malware. Remember it’s software and it’s sitting on a computer. So if you get malware on a computer and it now has a rootkit in it, that rootkit could bypass the agent software and trick it into giving false information.

And so you think that this device is not vulnerable at all and yet it’s really vulnerable. So these are two things you have to think about when you’re thinking about agent based software. Now because of this, what a lot of people do is create a hybrid solution. Now these hybrid solutions are created that use both agent based and server based scanning. So if I take all my mobile phones and my laptops and I use agent based for them, but for all my servers and all my desktops that are staying in the office, I use server based scanning. That’s a good hybrid solution and we can use that and then compare the differences to make sure everything is being tracked and everything is being scanned.

5. Scanning Parameters (OBJ 1.3)

Scanning Parameters in this short lesson, we’re going to talk about some scanning parameters that you’re going to need to configure and think about inside of your vulnerability scanning tools. Now, vulnerability scanners must be configured with different parameters to be effective in scanning your networks. If you don’t set them upright, they’re not going to be effective in finding those vulnerabilities. Now, there are two main areas of concern that we have to think about. One is segmentation and the other is firewall, walls, IDs and IPSes. Now, when we talk about segmentation, this is the division of a network into separate zones through the use of Vlians and subnetting. And if you went through Security Plus or Network Plus with me, you remember that segmentation is a great way to add some security to your network.

Why is that? Because segmentation forces traffic to flow predictably between zones, usually through a firewall or a router where we can apply access control list to them and really control where that traffic is going. By doing this segmentation, we really do create these choke points that allows us to see what information is going to what place and be able to analyze it using things like firewalls and routers. So when you start performing vulnerability scanning across a segmented network, you really need to consider the requirements and the limitations that you may face. For example, in this network I have an inside network, an outside network, and a DMZ. Let’s assume I’m going to scan all of my things from PC One. Well, it would be very easy for me to go from PC One to PC Two and PC Three because they’re all in the same subnet that internal LAN.

But if I want to go over to the DMZ and scan the email on the Web server, I’m going to have to go through that router and through that firewall to get into the DMZ. Now to do this using a server based scanner like the one I installed on PC One, I have to be able to communicate with these remote subnets. And that means I might have to go through multiple VLANs or through a firewall or a router. Now alternatively, if I didn’t want to do that, I can have PC One only scan PC Two and Three, and then I can install another machine inside the DMZ that could scan the things in the DMZ like the email on the Web. And then if I wanted to do something from an external perspective, I could have something come from over the Internet and try to scan in that way.

To do this, I would have multiple different segments as shown here, but I’d also have multiple scanners attached to those segments and then I have to send those reports back to a centralized management server where I can analyze them. Now, if you’re using agent based scanners, they have to be able to communicate the reports back to the management server. So let’s say that the web server also is being my management server. Well, everything from PC One, Two, and Three are going to have to have a firewall rule in place that allows them to communicate back over to the DMZ to give that information to that web server. And so you can see this does require a little bit more configuration and so if you’re using segmentation, you have to think this through, otherwise you’re not going to get valid results. Now, my big point here in all of this is that vulnerability scanners must be properly configured to work with the network’s firewalls, intrusion detection and intrusion prevention systems.

If you don’t configure them properly, they’re not going to be able to be accessed across these things because of those rules. In addition to that, your firewalls have to be configured to allow agent based scanners to report to that centralized management server. That’s one of the first things you have to think about. Another thing you have to think about is that your intrusion detection and intrusion prevention systems have to be configured with exceptions to allow for agent based scanning. Wait, why do I need an exception? Jason well, if you have an agent here on a system and it starts trying to scan for different vulnerabilities, those vulnerabilities are essentially exploits and those tools, those IDs and IPS’s could alert on those.

So if you’re going to be scanning those with an agent based scan, the IDs and IPS needs to know this is trusted software, you can allow it to happen, otherwise it’s going to try to block it and you’re not going to get your vulnerability scans done. Another thing you need to think about when you’re dealing with firewalls IDS’s and IPS is that they are likely to block server based scanning unless exemptions are created. Again, you have to tell these things it’s okay if you see this activity from this particular server because this is a trusted server that we own, but if you see it from anywhere else, flag that doesn’t alert it because we might be under attack. And so this is again, one of the things that would have to be an exception that you have to put into place.

Now, because of that, what I recommend is if you’re going to use server based scanning, you need to make sure those servers have static IP addresses. That way you can configure the IDs, the IPS, and the firewalls to ignore scanning attempts from those and not flag on them and not block them. That way they know where they’re coming from and where they’re going to, which in this case would be your targets. Now, some organizations will use what’s called a scanning window. And basically what they’ll do is they will disable their firewall and they’ll say, okay, from midnight to 02:00 A. m. , we’re going to disable the firewall and allow all of our scanning to occur. Now, I do not think this is a good idea.

I personally think this is a horrible idea, but it is mentioned in your textbook, which is why I’m bringing it up. I would never personally use this practice. I think it is horrible. Instead, what I would recommend is that you install scanners into each enclave or segment and have them report back to a centralized server. Yes, it costs more money because you have to have multiple scanners, but it’s a heck of a lot better than turning off your Firewall. Now, again, these are just two options that are being presented. One is turning off your Firewall wall. Two is putting a scanner in each enclave. The third one you can do is just put one of these scanners in one enclave that you want and then open up the right firewall rules with the right exceptions.

But again, each of these carries some risk and you have to measure that with your organization’s risk appetite. Now, the final thing you have to remember is these scanners need to be updated. Now, the reason for this is these scanners have an engine and essentially, just like antivirus, they have to get their updates. If they don’t get their updates, they won’t know about new vulnerabilities that are out there. So what happens is there’s this vulnerability feed, and we’re going to talk more about these vulnerability feeds later, that it’s going to download. And based on that feed, it’s going to know in its database all the vulnerabilities that exist and what it should be testing for.

Think of them like antivirus signatures. It’s the same idea, but in this case it’s for a wide range of exploits and vulnerabilities. So one of the things you have to do in your configuration is make sure your Firewall is allowing your scanner to reach out to the Internet to be able to get its feed from that particular website. Most of the time you want to make sure your scanner is locked down so it can’t go to every website out there. It should only be able to go to the sites it needs to get these updates. Other than that, it really doesn’t need Internet access. And so you should block Internet access except for these update sites. That’s the main key here. When you start dealing with configuring your scanning parameters.

• Category: Uncategorized