VULNERABILITY SCANNER

A vulnerability scanner is software application that assesses security vulnerabilities in networks or host systems and produces a set of scan results. However, because both administrators and attackers can use the same tool for fixing or exploiting a system, administrators need to conduct a scan and fix problems before an attacker can do the same scan and exploit any vulnerabilities found

A vulnerability scanner can assess a variety of vulnerabilities across information systems

Where does these vulnerabilities originate?

1. Vendor-originated: this includes software bugs, missing operating system patches, vulnerable services, insecure default configurations, and web application vulnerabilities.

2. System administration-originated: this includes incorrect or unauthorised system configuration changes, lack of password protection policies, and so on.

3. User-originated: this includes sharing directories to unauthorised parties, failure torun virus scanning software, and malicious activities, such as deliberately introducing system backdoors.

BENEFITS OF A VULN SCANNER

• Allows early detection and handling of known security problems.
• A new device or even a new system may be connected to the network without authorization. 
• Helps to verify the inventory of all devices on the network.

LIMITATIONS OF VULNERABILITY SCANNERS

• Snapshot only: a vulnerability scanner can only assess a "snapshot of time" in terms of a system or network's security status 
• Human judgement is needed: Vulnerability scanners can only report vulnerabilities according to the plug-ins installed in the scan database. They cannot determine whether the response is a false negative or a false positive 
• a vulnerability scanner is designed to discover known vulnerabilities only. It cannot identify other security threats, such as those related to physical , operational or procedural issues.
   

ARCHITECTURE OF VULNERABILITY SCANNER

Consists of four main modules: 

• Scan Engine
• Scan Database
• Report Module
• User Interface.

• Scan Engine executes security checks according to its installed plug-ins, identifying system information and vulnerabilities. One or more hosts may be scanned at a time.
   
• The Scan Database stores vulnerability information, scan results, and other data used by scanner. The number of available plug-ins, and the updating frequency of plug-ins will vary depending on the corresponding vendor.
• The Report Module provides different levels of reports on the scan results, such as detailed technical reports with suggested remedies for system administrators, summary reports for security managers, and high-level graph and trend reports for executives.
• The User Interface allows the administrator to operate the scanner. It may be either a Graphical User Interface (GUI), or just a command line interface.

TYPES OF VULNERABILITY SCANNER

Divided broadly into two groups: 

• Network-based scanners that run over the network
• Host-based scanners that run on the target host itself  

A network-based scanner is usually installed on a single machine that scans a number of other hosts on the network. It helps detect critical vulnerabilities such as misconfigured firewalls, vulnerable web servers, risks associated with vendor-supplied software, and risks associated with network and systems administration.
eg:  Port Scanners ,  Web Server Scanners, Web Application Scanners

A host-based scanner is installed in the host to be scanned, and has direct access to low level data, such as specific services and configuration details of the host's operating system. It can therefore provide insight into risky user activities such as using easily guessed passwords or even no password. It can also detect signs that an attacker has already compromised a system, including looking for suspicious file names, unexpected new system files or device files, and unexpected privileged programs. Host-based scanners can also perform baseline (or file system) checks.
eg: Database scanner

HOW TO CHOOSE A VULNERABILITY SCANNER?

Updating Frequency and Method of Plug-in Updates 
   Usually, a vulnerability scanner cannot identify a vulnerability if its corresponding “plug-in” is not available. As a result, the faster a vendor can produce updated and new plug-ins, the more capable a scanner is in spotting new flaws. Also, scanners with an "auto-update" feature can automatically download and install the latest plug-ins on a regular basis.

Quality versus Quantity of Vulnerabilities Detected 

The accuracy with which critical vulnerabilities are identified is more important than the number of vulnerability checks, because the same vulnerability may be counted more than once by the scanner  

Quality of Scanning Reports  Apart from the details of detected vulnerabilities, a useful scanning report should give clear and concise information about fixing the problems uncovered. When administrators need to perform subsequent scans after initial scanning or  configuration changes, or make comparison between the results of previous scans, a scanner with a back-end database that can keep an archive scanning results for trend analysis is preferable.
  

EXAMPLES OF COMMON VULNERABILITY SCANNERS  
1. Network-based scannersPort scanners Nmap  Superscan:
Network vulnerability scanners Nessus 
 GFI LANguard Network Security Scanner (N.S.S.)
Web server scanners Nikto 
 Wikto
Web application vulnerability scanners Paros 
 Acunetix Web Vulnerability Scanner
2. Host-based scanners
a. Host vulnerability scanners
 Microsoft Baseline Security Analyser (MBSA)
 Altiris SecurityExpressions (commercial) :

Click here for Vulnerability.pdf