Vulnerability scanners are often used during security audits. The goal: to be one step ahead of the cybercriminals!
In one of our Oneconsult blog articles, we explained the differences between a penetration test and a bug bounty progra: Penetration Testing vs. Bug Bounty Programs – What Are the Differences? One tool that is used heavily in both is a vulnerability scanner. These come in different shapes and sizes and can, for example, be a single Linux tool, a VM, or an entire server. In addition, they also exist as a cloud solution. However, the goal is always the same, to be one step ahead of the attacker.
How do Vulnerability Scanners Work?
A vulnerability scanner is a tool that automatically searches for faulty configurations or vulnerabilities in company networks or publicly accessible servers.
An attacker, whether on the internal network or from the Internet, usually first creates an overview of potential targets and scans them for known vulnerabilities. Vulnerability scanners use various scripts for this purpose, which are either created and maintained by the manufacturer or by the community. For example, such a script can make an HTTP request and then check whether the response contains the web server’s software version. If this is the case, it usually also checks whether there are any known vulnerabilities for this version and how critical they are. Attackers often find points of attack this way.
This is just one example of many possible scripts. Most vulnerability scanners support a wide range of TCP/IP protocols, which yield revealing results. The following outlines some vulnerabilities that are repeatedly found by Oneconsult’s penetration testing team on publicly accessible servers:
- Cryptographic vulnerabilities in the TLS versions being used or in certificates
- Missing web server security headers
- Cross-Site Scripting (XSS)
- Path Traversal
In internal networks, the attack surface is much larger, and so is the number and criticality of the findings delivered by such scanners. For example, there is missing SMB signing, outdated services like Telnet, FTP servers with activated anonymous login, or even administration accounts without passwords.
How Can a Company Protect Itself Against a Vulnerability Scanner?
How can a company protect itself against such scanners? One must be aware that such scans, especially on publicly accessible servers, are carried out repeatedly and it is difficult to totally prevent this. It is however possible to slow down the scans by rate limiting or blocking the IP address as soon as a scan is detected. Also, a Web Application Firewall (WAF) can also be an effective method in blocking the potentially malicious HTTP requests that are used to detect web vulnerabilities. Furthermore, the WAF on Azure Application Gateway can be configured to block known malicious IPs .
Cybercriminals often look for a target with a large attack surface and do not choose a company specifically. Therefore, another way to protect your company is to keep the attack surface small and secure it accordingly. For example, it can be worthwhile to make several web services accessible via a central reverse proxy (or application gateway). This means that many security-relevant configurations only have to be made once (for example, HTTP headers).
However, 100% protection isn’t possible –it’s best to take control of the scans yourself and ensure that vulnerabilities are found and fixed quickly. This can be achieved by the company or an external service provider performing regular vulnerability scans. When a risk is found, a risk assessment should be conducted to check which risks must be mitigated, eliminated, or accepted.
Vulnerability scanners provide a cost-effective way for an organization to detect and fix the “low-hanging fruit” itself. This can reduce the attack surface, making it a less interesting target for potential attackers.
Are you interested in performing a vulnerability scan? Or do you still have questions about the topic? We look forward to hearing from you without obligation.