Vulnerability scanning of learning penetration test II


Overview of vulnerability scanning process

  • Vulnerability scanning is usually implemented as one of many means to help organizations identify vulnerabilities in their networks and computing devices. Scanning results can help managers make informed decisions about the security of their networks and their connected devices. The scale of vulnerability scanning can be large or small, depending on the assets and systems to be evaluated.

  • Although there are many tools that can deeply explore system vulnerabilities, not all scanning tools have the same feature set. Each scanning tool may or may not contain a list of vulnerabilities that other tools can evaluate. Therefore, organizations should carefully select the scanner they want to use, and stipulate that the use of any other vulnerability scanner must be demonstrated and approved in advance.

  • Any scanning tool should be able to evaluate the information system from a central location and provide repair suggestions. It must also be able to set the severity value of each discovered vulnerability according to the relative impact of the vulnerability on the victim unit.

Regular evaluation of existing equipment

  • Ideally, each department should be required to evaluate its computing equipment in accordance with the standardized schedule.

  • At a minimum, each department should perform fully certified scans according to a specified schedule (e.g. monthly or quarterly). The scan should be tailored to assess the unique needs of each department, and the scope of operation should cover all assets in their respective unique control areas.

For example, the following networks and computing devices may be required to be scanned on a monthly basis:
  • Any computing device known to contain sensitive data

  • Any computing device that must meet specific regulatory requirements, such as HIPAA

  • Any file system image or virtual machine that serves as the base image for building and deploying new workstations / servers

  • Any device used as a server or for data storage

  • Any network infrastructure equipment

Unless otherwise authorized, an approved vulnerability scanning tool must be used for scanning.
The unique needs of the business should always be taken into account when performing scans (in most cases). Remember that vulnerability scanning can and must slow down the network, device, or application it is evaluating. If scanning is carried out during working hours, care should be taken to minimize possible interference caused by scanning. Scanning should be conducted during off peak hours, and clients that do not cooperate or need to be rescanned due to shutdown should be included in the scanning through additional secondary scanning.
Computing devices or system administrators should not make changes to network computing devices just to pass the evaluation. In addition, as long as it is a device connected to the network, special configuration shielding vulnerability scanning should not be carried out.
Vulnerabilities on networked computing devices should be handled according to scanning results and business requirements. Remember, not all vulnerabilities discovered by the scanning engine need to be addressed.

Evaluate new systems

No new system should be added to the operation until the vulnerability assessment is completed and the vulnerability is addressed.
Departments should be required to conduct vulnerability assessment at the following times:
  • When the operating system installation and repair phase is completed

  • When completing the installation of any application provided by the supplier or developed in-house

  • Before putting the information system into operation

  • When completing the design of an image or template for deployment to multiple devices

  • When the information system provided by the supplier is delivered and before the user carries out acceptance test, and before it is put into operation

  • For new network infrastructure equipment, in the copy test stage and before putting into operation

At the completion of each vulnerability assessment above, all vulnerabilities found must be recorded and repaired.

Understand the scanning target

Each department shall not conduct intrusive scanning on the system not under its direct control:
  • Each department is responsible for ensuring that the equipment owned by the supplier is limited in terms of vulnerabilities that may harm the enterprise.

  • The supplier must be notified and allowed to send staff to be present when scanning.

  • The supplier shall not be allowed to scan the information system without the explicit permission of the Department and management. Those networked computing devices suspected of causing destructive behavior on the network should be scanned through non-invasive methods to trace the source of destructive behavior.

Risk mitigation

At the end of each evaluation, each department shall prepare documents reflecting the following contents:
  • All discovered vulnerabilities, the severity of vulnerabilities, and the information systems affected by them

  • For each discovered vulnerability, specify how to fix or eliminate the vulnerability

  • The report generated by the enterprise vulnerability scanning tool, and the suitability of the report for the preparation of the document shall be evaluated

As part of the annual security scanning process, each department shall be required to record and archive the vulnerability scanning and repair work opened according to the document.
For the discovered vulnerabilities, repair and / or mitigation measures shall be taken based on certain principles, such as:
  • Serious vulnerabilities should be completely resolved within 15 days after they are discovered.

  • High risk vulnerabilities should be completely resolved within 30 days after they are found.

  • Medium risk vulnerabilities shall be completely solved within 60 days after being found.

  • Low risk vulnerabilities should be dealt with within 90 days after they are found.

When the risk of vulnerability being exploited is completely eliminated and the subsequent scanning of the device shows that the vulnerability no longer exists, it can be considered that the vulnerability has been repaired. Usually, this goal can be achieved by patching the operating system or application or upgrading the software.

Types of scans that can be performed

Of course, various scanning methods may be used in actual vulnerabilities, but here are some scanning methods that may be applied in the industry.

Authentication scan

Authentication scanning. This kind of scanning determines whether the machine has vulnerabilities by verifying specific qualification credentials without
Perform invasive scanning.

information system

Scan software, hardware, and interface components that work together to perform a set of business functions.

Internal Secrets

The scan has the ability to maintain specific information that is only open to those who are authorized and need to know the information

Intrusive scanning

A scanning method to determine the existence of vulnerabilities by actively executing known vulnerability exploitation means.

Networked computing device

Scan any computing device connected to the network to provide the means to access, process and store information.

Network infrastructure equipment

This kind of scanning refers to the equipment providing information transmission function, such as router, switch, firewall and bridge equipment: it does not include network server and workstation, unless these servers / workstations provide network transmission function services for specific.


A unit defined in an organization that is responsible for protecting a given information asset.

This work adoptsCC agreement, reprint must indicate the author and the link to this article

Give me an interface, I can connect a world!