You can perform vulnerability assessment scans authenticated with null sessions or credentials. Organizations must carefully choose how to evaluate and quantify risks because each approach offers a unique view of the vulnerabilities found in an asset.
In most cases, regulatory compliance, such as PCI DSS, requires authenticated scans within the environment, but idle sessions are acceptable for public sources as part of certification. With these in mind, think about how each works and what risks will be addressed with each.
Vulnerabilities are caused by coding errors or improper security configuration, where attackers quickly exploit to access system memory, execute sneaky commands, and steal data. Passwords, data encryption, firewalls, and standard scanning programs may not be enough. Businesses can only protect their data and networks by implementing a complete vulnerability assessment scan.
The vulnerability can be caused by several factors, from a weak password in a router to an unpatched programming flaw. By implementing a vulnerability assessment, organizations can verify security measures from within an internal network firewall and externally check defenses.
It is necessary to scan all assets such as servers, firewalls, load balancers, network devices, and desktops. It would help if you run internal and external security scans every three months or when a network organization changes critically. Security scans provide details about detected vulnerabilities in the network, possible risks, and recommended mitigation measures.
With security scans becoming a critical security strategy component, organizations’ PCI compliance has also become essential. Today, organizations run vulnerability scans to evaluate their networks, run patch installation and reassess the environment for resilience.
Null Session (without credentials) Vulnerability Assessments
Null session (without credentials) vulnerability assessments will provide administrators with an anonymous perspective of an asset’s risk profile. It is similar to a threat actor targeting an asset on the network without prior knowledge of the source. Although helpful, it can only report vulnerability findings from the viewpoint of a network or network-oriented implementation.
Any vulnerability that does not involve service to the network will be undetectable. Considering that a modern browser can detect very few vulnerabilities of an entity with idle session scanning if it’s the only source of information, the results disturbingly diverge from the real risks.
As a result, you can only conduct an idle session scan to obtain a hacker’s perspective on resources and privileged accounts. Except for false positives, idle session scans will, in any case, be a subset of these scan results. With these features in mind, here are some best practices for idle session scans:
- Targeting external assets with idle session scans forms the basis of regulatory compliance initiatives such as PCI DSS.
- Idle session scans can help quickly find vulnerable entities that are remotely susceptible to worms and specific bots.
- Idle session scans are much faster than their credited counterparts, as the vulnerability will only apply part of the signature database to a scan job.
- Idle session scans are ideal for identifying rogue assets and rogue network services and applications such as FTP, SMTP, VNC, RDP.
Authorized (Authenticated) Vulnerability Assessments
Authorized (Authenticated) vulnerability scans will provide the most accurate and detailed vulnerability assessment results, regardless of the target platform or application. These scans allow you to log in as an administrator, root, or root equivalent to check for vulnerabilities across the entire operating system, registry, file system, ports, processes, services, and users.
The use of credentials in security scans requires a target to allow remote authentication and unrestricted access. Here are some best practices to consider when assessing resources
- if you intend to use credentials:
- For vulnerability assessments, use a single privileged credential. Any interactive consumer or provider does not have access to this account.
- Monitor privileged activity using custom assessment credentials and raise status if used outside of scan times.
- Make sure the prerequisites for remote access are met. If they fail, review the assessment report findings to determine which services, such as remote record access, are not enabled for a target.
- If hosts are generally hardened and do not allow remote access, consider using one or all of the following techniques to gain privileged access:
- Set up, enable or configure a second management network with the appropriate services enabled for a scan with credentials scanned. This management network should have strict access control lists that forbid any forwarding of data or network bridging.
- Enable settings that allow scanning with credentials on a time-by-time basis or group policy and refer to a scan window.
- Consider using local or resolvable agents for a credential scan as an alternative.
- Clone the environment exactly. Cloning is well suited for virtualized environments where images can be cloned into a lab, not hardened, and a certified evaluation can be done. In mission-critical, high-availability environments and sensitive government facilities, this approach is favored.
Depending on the need to measure risk, all resources, not just assets with servers, should be subject to authenticated assessment at a specific time.
What Are the Differences in Credential-Based and Non-Credential Vulnerability Assessment?
The differences between credentialed and non-authenticated vulnerability assessments, also known as authenticated and unverified scans, are as follows:
Vulnerability assessment based on credentials using the administrator account does a more thorough check by looking for issues that are not visible from the network. On the other hand, Credential-free scans provide a quick view of vulnerabilities by looking only at network services exposed by the host computer.
Unfortunately, anonymous scans do not provide a deeper understanding of the application and operating system vulnerabilities that are not open to the network or vulnerabilities behind a firewall. It can give false hope that the system is safe.
When it comes to credential-based vulnerability assessment, keeping an accurate list of all credentials is a primary concern. An incorrect list is one of the main reasons security teams have trouble completing scans with credentials.
For example, in large organizations, it is impossible to trace the owners of certain assets; In some cases, even asking for credentials from the asset owner can be problematic and may even be banned by company policy.
Still, a credential test performs all credentials and then reports on successfully authenticated hosts and those that fail. This allows security teams to identify and resolve credential issues quickly. It prevents security teams from conducting security vulnerability tests that could result in errors or provide inaccurate or incomplete information due to improperly configured credentials.
The benefits of credential-based vulnerability assessment are as follows:
- It does not interrupt operations or consume many resources, as scanning is performed with credentials.
- Rather than testing a service remotely and attempting to locate the exposure, it checks the local host to see if a fix has been applied for a specific vulnerability.
- Identifies client-side software vulnerabilities.
- Allows more secure browsing to ensure the security of information from control system servers and workstations.
- Provides customized control of operating systems, applications, databases, and file content.
Credential-Based and Non-Credential Internal PCI Scans
The PCI DSS standard does not explicitly require internal PCI scans to be performed for authentication. Therefore, authenticated scans are optional. However, providing credentials or being authenticated allows scans to run local checks on the target registry.
Local controls typically use less network bandwidth and target resources, revealing more vulnerabilities. Local controls will not work if credentials suitable for scanning are not provided. Only remote controls will be provided.
In summary, it is highly recommended to provide credentials for Internal PCI vulnerability scanning so that all checks are completed. This will help users better identify vulnerabilities in preparation for the external PCI validation process or general PCI standard awareness.