What kind of security scan do you need?

Vulnerability scans come in different types. Some have a broad scope that incudes many networks, others dive deep into a single application. They also differ in what is being examined, varying from website-reputation to software-configuration. Every kind of scan has a function. But where to start?

It’s best to start with a website discovery from the internet because that’s where the risk is biggest. The next step is to assess the most common security issues on the outside. Once these are addressed, the detailed scans will help to identify and eliminate each and every security flaw in the systems. Thus, start broad and go deeper as the security of the environment improves.

Security scan referentiemodel
Figure 1. Reference model for internet security scans.

In the figure above, a reference model is given for security scans. It shows that a portscan is a component of a vulnerability scan, which itself is a component of a penetration test (aka ethical hacking). In addition, it depicts two scans that operate on a higher level: the domain inventory and the reputation check. Each scan is briefly described below.

A domain inventory searches for the servers that belong to an organization. It serves to gain overview on all systems that are accessible from the internet. Whether on premise, in the cloud, or hosted by external suppliers.

A reputation check investigates if servers of the domain are registered as malicious servers. For example due to the distribution of malware or spam. For this check, blacklists and reputation databases are examined.

Portscans give insight in the connection possibilities with servers and networks. It is the digital way of knocking at the door and seeing if it opens. This is commonly done with nmap. A portscan can reveal unwanted openings. In addition, it forms the basis for vulnerability scans and penetration tests.

Vulnerability scans start with a port scan, and then figure out what application is accessible on that port. The application is interrogated with automated probes. Public known vulnerabilities of standard implementations are thus found, as far as they are visible from the outside. This type of scan gives so much 'noise' that it certainly stands out in the system log. For this vulnerability scan a legal disclaimer is required, it cannot be run on any environment without prior permission of the owner.

Penetration tests are largely handwork, supported by tools, driven by creativity, knowledge and skills. These tests go deep into an application and are performed to assess the security of changes or new releases. Research topics are SQL injection, cross-site scripting, session management, the authorization model, etc. It is especially important for tailor-made applications.

The diagram also shows what kind of scans are performed as part of the Internet-Security-Scan. The domain scan and reputation check are complementary to the other (standard) scans. In addition, there is an overlap with the vulnerability scan in the sense that only a few no-brainers be checked. This makes the scan invisible in log files and the system load is neglectible. Moreover, this scan is non-intrusive, meaning that no mutations are done on the server, and that the availability of the server is not disturbed. Because of this, a declaration of waiver is not necessary. This makes it an ideal scan for checking vendor security.

Next: No-brainer security metrics