In a situation where you need to invest in one or the other form of vulnerability management, it is important to investigate whether you can scan with credentials. This means it can be used for everything. However, scanning without credentials can also be justified.
Vulnerability scans provide an overview of the gaps that need to be closed, a hint on prioritizing time according to the criticality of the vulnerabilities. It is done regularly to stay up to date with new vulnerabilities. When the hackers themselves perform scans regularly (as they do on a large scale), there is probably something to it. 😉
But what are the differences and what are the pros and cons of scanning with or without credentials?
Scanning without credentials
“Unauthenticated scanning”, også kendt som scanning uden credentials, er den mest simple og mindst præcise scanningsmetode. Her foretages scanningen uden at scanningssoftwaret er logget ind på hver af de enheder, der scannes for sårbarheder. Denne type scanning bruges typisk fordi den er hurtig at udføre og kræver færre ressourcer. Der gøres udelukkende brug af offentligt tilgængelige interfaces på enhederne, samt de informationer, den ellers kan samle om aktiverne ”udefra”.
Denne type scanning kan kortlægge, hvilke enheder man har eksponeret mod internettet, og identificere gængse sårbarheder, som påvirker enhederne. Det kan være i form af f.eks. SQL injections, cross-site scripting (XSS), eller andre kendte sårbarheder på de versioner af software, der køres på enhederne.
Det giver et realistisk billede af, hvad en hacker vil finde på sin scanning, da de typisk ikke har fået fat i credentials endnu, når de scanner. Men formålet med en sårbarhedsscanning er oftest at få så meget med som muligt og holde god hygiejne – low effort, high reward – og hvis man ønsker mere realistiske scenarier, er det de manuelle pentest, der kommer i spil. Derfor er det næsten altid at fortrække, at kunne scanne med credentials.
Scanning with credentials
Also known as authenticated scanning, it’s great for finding vulnerabilities “inside” the belly of devices. And most people want to. Here, best practice is to use a privileged user who has access to everything.
Scanning with credentials provides a deeper analysis of patches, possible misconfigurations and vulnerable versions of software – and thus a more accurate picture of the vulnerabilities that a system user can exploit. Often a hacker will have some form of access (assume breach), either in the form of a user they have created themselves on a website, for example, or a user they have obtained via phishing, brute-force or leaks. These vulnerabilities can NOT be detected with an unauthenticated scanner, as it requires a valid login to the system being scanned to exploit these vulnerabilities.
What type of scanner should you choose?
The simple answer is – choose a solution that does both. They are not that much more expensive. A vulnerability scanner that can scan with credentials can also scan without credentials. This means that you will be able to choose the type of scan that is performed.
How often is it recommended to perform vulnerability scans?
CIS 18 (Center for Internet Security) recommends that vulnerability scans with credentials should be performed at least every 3 months and scans without credentials at least once a month. If major changes to configurations, setup, software, etc. have been implemented immediately after the last scan, it is recommended to perform ad hoc scans to quickly detect and mitigate new critical vulnerabilities.
Want a call back?
Use the contact form and we will call you back within 48 hours.
Recent Comments