How do passive vulnerability scanners work

By sending packets directly to endpoints, active scanning can accelerate data collection. However, this increases the risk of malfunctioning endpoints by sending incompatible queries or saturating smaller networks with high volumes of traffic.

Furthermore, active scanning does not normally monitor the network 24 hours a day, so it may not detect temporary endpoints or listen-only devices. Disadvantages of active scanning arise more often when applied to OT environments. These systems, especially the control software, are often not prepared to perform their tasks while receiving and returning traffic. The danger that the controllers become overloaded with signals and no longer know what their actual task is.

Many of these systems are proprietary and therefore react more sensitively to external influences. For this reason, passive scans are more likely to be the go-to scanning method performed in OT environments.

What is passive scanning? A passive scan silently analyses network traffic to identify endpoints and traffic patterns. It does not generate additional network traffic and carries almost no risk of disrupting critical processes by interacting directly with the endpoints. However, passive monitoring may require more time to collect asset data because it must wait for network traffic to or from each asset to generate a complete profile.

In some cases, not all areas of the network are available, which can limit the ability to passively monitor traffic across the entire OT environment. To ensure that vulnerability scans have no lapse in detection, it is suggested that both authenticated and unauthenticated vulnerability scans are conducted.

Scanning under all circumstances, again, ensures that even with constantly evolving technology, companies are safe from threats. While leveraging numerous types of scans is an important step for mitigating risk, an effective vulnerability assessment program will go beyond scanning intermittently.

Vulnerabilities are prioritized based on 5 factors: severity, threats, asset exposure, business criticality and security controls, and then dispatched to risk owners for automatic or supervised mitigation. What to know about Vulnerability Scanners and Scanning Tools. What are vulnerability scanners A vulnerability scanner is an automated tool that identifies and creates an inventory of all IT assets including servers, desktops, laptops, virtual machines, containers, firewalls, switches, and printers connected to a network.

Five types of vulnerability scanners Vulnerability scanners can be categorized into 5 types based on the type of assets they scan. Details of five types of vulnerability assessment scanners — 1. Host bases scanners 3. Wireless scanners 4. Some vulnerability assessment solutions use lightweight software agents deployed on computers in addition to network scanners to get a better picture of the security state of various systems in the organization.

While authenticated scans collect better information and can therefore discover more vulnerabilities than unauthenticated ones, vulnerability scanning in general generates some false positive results.

That's because there might be vulnerabilities that have been mitigated through various workarounds or security controls without installing patches and updating the affected application's version.

Vulnerability scanning can cause network congestion or slow down systems in some cases, which is why they're often performed outside regular working hours when they are less likely to cause disruptions. The vulnerabilities identified by scanners need to be reviewed, triaged and investigated by security teams and many times vulnerability scanners are part of larger solutions that are designed to assist with the whole vulnerability management process.

Security teams can use penetration testing to validate flaws and determine actual risk much better without simply relying on the severity scores listed in vulnerability databases. Penetration testing also tests the effectiveness of other defenses that might already be in place and could hinder the exploitation of a security issue.

According to vulnerability management vendor Rapid7, these are some of the questions security teams should ask when evaluating vulnerability scan results:. Web application vulnerability scanners are specialized tools can find vulnerabilities in websites and other web-based applications. While a network vulnerability scanner scans the web server itself, including its operating system, the web server daemon and the various other open services, such as database services running on the same system, web application scanners focus on the code of the application.

Unlike network vulnerability scanners that use a database of known vulnerabilities and misconfigurations, web application scanners look for common types of web flaws such as cross-site scripting XSS , SQL injection , command injection, and path traversal. They can therefore find previously unknown vulnerabilities that can be unique to the tested application.

This is also known as dynamic application security testing DAST and is often used by penetration testers. And most of the vulnerabilities that have been identified are these blue informational vulnerabilities. But you can see a number of devices have low, medium, or even high vulnerabilities associated with them. If we drill down into a device, we can, for instance, see a number of these that have been identified. And we can drill down on those.

It explains what this vulnerability happens to be and how we should be concerned about how the configuration of this device is set up, especially as it relates to the SSL certificates on this device. As you can see, the scanner is looking for a lot of information.

But it can only find the things that it knows about. And a scanner generally has a database of signatures that it knows to look for in these different devices and operating systems. Generally, these scanners will have an update process so that you can have the latest signatures in your vulnerability scanner. Almost all of these vulnerabilities can be listed and categorized online. The National Institute of Standards and Technology has a great database at nvd.

Sometimes the scanner will give you a very generic response, saying that there may be a particular kind of vulnerability.