Headed to RSA in San Francisco? May 6-9 | Join us!

What Is a Vulnerability Scan?

Organizations understand the importance of having a strong security posture. From meeting various compliance and industry regulations to maintaining customer trust, organizations cannot risk overlooking any weak spots in their network. Yet many organizations often leverage a single security assessment and consider their due diligence complete. This approach, however, only tells part of the story. To create a truly strong security posture, organizations should explore various cybersecurity assessments, and see how they can complement a vulnerability scan.

Let’s dig into what a vulnerability scan is and how it compares to — and works with — additional cybersecurity assessments.

What is the Purpose of a Vulnerability Scan?

A vulnerability assessment checks an organization’s network and systems for any known vulnerabilities against a database of vulnerability information. At the completion of the scan, the organization obtains a report that outlines their risk exposure.

There are two approaches to vulnerability scanning: authenticated and unauthenticated. An unauthenticated method scans the organization’s network and systems in a manner similar to a threat actor; the scan is designed to look for vulnerabilities a threat actor could exploit without trusted access to the network (e.g., logging in).

An authenticated method utilizes authentication to scan the organization’s network and systems typically by providing credentials with certain permissions (limited, admin, etc.). This offers insights into where vulnerabilities exist that could be exploited by a trusted user (insider threats) or a threat actor who gained access as a trusted user.

Any organization that has login credentials (read: most common), should include both an authenticated and unauthenticated scan to more accurately reveal both sides of the threat surface. Some vulnerabilities may only be displayed after passing through user authentication, and vulnerabilities can differ based on permissions level. To that point, organizations should include various levels of authenticated scans using accounts with various privilege levels.

What Types of Vulnerability Scans Exist?

Though vulnerability scans have two methods, the type of scans that exist typically fall into one of three categories:

  • Full Scan – As the name implies, a full scan is a thorough vulnerability scan that leverages its database of known vulnerabilities to look for any existing vulnerabilities across an organization’s network and systems. This can also be referred to as a “deep scan.”
  • Quick Scan – Also known as a “discovery scan” or a “stealth scan,” this type of vulnerability scan is meant to elevate awareness of the type of vulnerabilities that could be possible based on the network devices and system applications that exist.
  • Compliance Scan – This type of vulnerability scan is leveraged primarily as a means to audit an organization’s security as it relates to compliance regulations.

Different applications and programs that perform a vulnerability scan have different modes, some deeper than others. Worth noting is that when selecting your vulnerability scanning tool, know what you intend to use it for. Some scanners may perform different checks or may not offer some of these options and instead only scan the common ports.

The Benefits and Challenges of a Vulnerability Scan

Vulnerability scans offer organizations a number of unique benefits. For example, a vulnerability scan can be run as frequently, or as infrequently, as an organization deems necessary. Though many organizations tend to lean towards a quarterly approach, vulnerability scans can be set to run monthly, sometimes even weekly, depending on an organization’s needs.

And, because they are automated scans, a vulnerability scan can be highly targeted to detect any known vulnerabilities on a range of network devices, such as firewalls, routers, and services, or at an application level. As a result, organizations can more effectively identify and remediate any potential issues associated with a vulnerability faster across the network devices and applications.

Though vulnerability scans paint a solid picture of where known vulnerabilities exist, the picture is, realistically, out of focus. This is because vulnerability scans are designed to detect known vulnerabilities only. Some scan reports do offer guidance on how to remediate the vulnerabilities detected, but it requires a manual check of each vulnerability uncovered to determine validity and prioritize which items should be addressed first.

To that point, a vulnerability scan can generate false positives; some of the results produced may not result in a hack or “penetration” by a threat actor.

Additionally, because vulnerability scans are designed to detect known vulnerabilities only, a vulnerability scan cannot detect zero-day exploits. This means that though vulnerability scans are a great detection tool, they alone cannot provide organizations with enough insights to confidently build a strong security posture.

The challenges associated with vulnerability scans can often lead to a misconception among organizations that a vulnerability scan and a penetration test can be interchangeable. But this isn’t the case. Vulnerability scans and penetration tests take two completely different approaches for displaying attack surface or threat surface and work well together to provide a complete overview. 

Penetration Test vs. Vulnerability Scan: What’s the Difference?

As we’ve discussed, a vulnerability scan serves as a means of detection, testing an organization’s network and systems for known vulnerabilities. Because it’s automated, it can be highly targeted to look for known vulnerabilities within specific network devices or applications, but the final output requires a manual review to determine which vulnerabilities are valid and which ones take priority to remediate.

A penetration test, however, takes a preventative approach to security. A penetration test (also referred to as a “pen test”) is a more intentional and manual exercise designed with the goal of “penetrating” an organization’s network and systems to gain access to data (e.g., financial records, personally identifiable information [PII], intellectual property). Basically, it’s a simulation that leverages a variety of tools and tactics to map out vulnerabilities. The penetration tester (frequently a security professional) will look to exploit these vulnerabilities in a manner that emulates the behavior of a threat actor. The real purpose of a pen test is to evaluate the risk associated with various vulnerabilities that may be exploitable, resulting in unauthorized access into systems and data..

Similar to vulnerability scans, there are benefits and challenges associated with a pen test. A benefit, for example, is that a pen test is a much more detailed process that provides a more accurate evaluation of an organization’s true risk profile. However, one of the challenges of a pen test is that it will not confirm every vulnerability in an environment.

Clearly, there are some great benefits — and challenges — associated with using a single security assessment. But what if they were combined?

When a vulnerability scan is paired with a pen test, it can provide organizations with deeper insights into where and how to enhance their security posture. As we previously discussed, a penetration test may not list or confirm every vulnerability in the environment, but a vulnerability scan will scan all systems looking for signatures that match known vulnerabilities that may (or may not) be able to be penetrated. This approach enables an organization to enhance its security posture with a more complete picture of the threat surface.

A-LIGN Can Help

The best way to know where your organization’s greatest vulnerabilities exist is to hack your own network. Vulnerability scans offer organizations a great option to more effectively detect known vulnerabilities across their network and systems. And, when paired with a pen test, organizations can more effectively enhance their security posture by taking a truly proactive approach to cybersecurity.

A-LIGN is a trusted partner in helping organizations more effectively assess their cybersecurity and compliance needs. Our experienced team employs automated and manual techniques to find weaknesses so you have confidence that your organization’s critical data is protected.