‌‌ General Security Penetration Testing Vulnerability Assessment Risk Management IT Certification


Vulnerability Assessment

Scanning for vulnerabilities is an essential part of asset assurance and configuration management - knowning what is out there and how it is configured. This is most often done in an automated fashion to minimize the workload of the IT staff and because the checks can be hard to do manually by hand. In corporations, vulnerability scanning is an important part of the audit process that can verify if corporate policies are being enforced and if procedures are being followed. This is also used as part of the risk assessment in the Risk Management process to identify assets, vulnerabilities and potential threats.

There is generally two different approaches to this, either by using Whitebox Scanning as a privileged administrator that has full access to the systems including registry settings and files or by using Blackbox Scanning as an unprivileged user seeing what "everyone" else would see (including attackers).


Blackbox Scanning:

The concept behind Blackbox Scannning is to discover the security holes before the attacker does and with focus on those holes the attackers can use only - the real entries into the system or network. Often one would scan for only critical holes that could lead to system compromise or remote execution of code. Sometimes one would only scan for the SANS top 20 list (link) with the most used vulnerabilities used by attackers. Another option is also to do a full scan with for all vulnerabilities the scanner supports to ensure knowledge of the system will not lead to false assumption of what is on the system or network, thereby discovering unknown systems or services whether they are legit or not.

A general problem with Blackbox Scanning is that since the task is done unprivileged the only way to ensure that a system is not vulnerable to certain exploits or attacks is to actually try the exploit against the system or use a similar intrusive technique to get reliable results. Often, the only way to test whether or not a system is vulnerable to a Denial of Service (DoS) attackes is to do a DoS attack against it. Therefore Blackbox Scanning often is unreliable and may risk rendering the target system unstable or crash the system fully. This scanning technique can often not say for certain that a system is properly patched against an exploit, it can only tell us that the system appears to be patched and does not seems to be vulnerable.

So when is the Blackbox Scanning technique usefull one might ask. A general guideline can be to scan for unknown systems and services, to scan for vulnerabilities that has not been patched due to other concerns but are mitigated some other way and to scan as verification that the mitigation against common threats like the SANS top 20 list of mostly used vulnerabilities by attackers has been implemented. Also, many of these tools can scan for vulnerabilities in applications and try to guess login credentials, e.g. SQL injection vulnerability in the code of a website or try to get access to a restricted website. This may discover badly coded webpages or web-users with weak passwords.

Whitebox Scanning:

The concept behind Whitebox Scanning is to have full administrative access to the systems and verify configurations, installations and settings. This will first verify installation of security patches, servicepacks and software. Secondly, the configuration of services and the system can be examined. Finally, things like number of administrator accounts, password changes, guest accounts, registry security settings, etc. can be checked. So, since Whitebox Scanning has full access to the systems, the results are mostly very accurate and the risk of rendering the system unstable or craching the system is very small as this technique does not need to try out the exploits but can verify that the patches has been installed by looking in the registry and checking file versions.

Whitebox Scanning also has some issues, since the tools to perform the scanning with often are vendor or system specific, requires full access and because of the way checks are performed. This means that there in mixed environments must be used several different tools and competence build in these different tools. Also, as full access is required there might be some challenges due to lockdown of the servers against normally unneeded or potentionally dangerous ports and protocols, e.g. NetBios access, SNMP access, etc. Finally, since the checks are done by looking in the registry and by looking at file versions, this does not necessarily mean that the new files from a patch has been loaded into memory and the system may require a reboot first to do this. So the problems could be more demanding tasks and false results indicating a system is protected when it is not. This last issue is with the latest operating system less of an issue as reboots are required less frequently, Microsoft is currently researching a lot in hot patches that will be applied to files in memory while at the same time cold patching the files on disk.

The Whitebox Scanning technique can as a guide benefit mostly when verifying the patch management process, when auditing system settings, configurations and installations or when accuracy of each vulnerability check is more important than the accuracy of the whole check. Often only scanning for a single (or a few) vulnerability on all clients, one can quickly identify hosts that have had problems installing a patch recently deployed. Examining local settings, configurations and installations is powerfull when audits are performed to see if the clients and servers (as well as networking equipment) are following corporate policies. The ability to perform accurate scans for one or more specific vulnerabilties can be important when virus or worm threats are faced, especially if the antivirus product is yet unable to detect and remove the virus or internet worm - then it is very important to ensure that the systems are not vulnerable to the exploit these threats uses.

More Information:

You can watch some archived webcasts from Microsoft on the topic of Security Assessment here:

Why: To verify system installations, settings and configurations that helps the audit and patch mananagement processes. To get accurate scan results to determine risk exposure to a specific vulnerability.

What: To learn more about the listed tools and concepts, look at the following information:

Where: Vulnerability Scanners, Patch Scanners, Port Scanners, Port Listeners and Eventlog Viewers:

Why: To scan for unknown systems and services. To scan for vulnerabilities that has not been patched due to other concerns but are mitigated some other way. To scan as verification that the mitigation against common threats like the SANS top 20 list has been implemented. To scan for vulnerabilities in applications and try to guess login credentials.

What: Learn more about the tools here:

Where: Vulnerability Scanners, Web Scanners, Port Scanners and Wireless Scanners:

Recommended books: