It's a fact that you cannot secure what you don't acknowledge.
While not exactly a mantra of IT security, this principle certainly proves true when looking for security vulnerabilities from a "trusted" user's perspective. In other words, it's foolish to conduct vulnerability scanning without authentication.
By configuring your vulnerability scanner(s) to log in to the hosts you're testing, you will see the rest of the story -- the side of security that's often ignored in the name of time, money or complexity. The reality is that authenticated vulnerability scanning will indeed take more time, but the payoffs in terms of vulnerabilities discovered (and, ultimately, risk mitigated) can be tenfold versus what you would discover otherwise.
The five things listed here tell you how to successfully prepare for, run and get the most out of the results of your authenticated vulnerability scans:
- Know in advance which systems you're going to scan with authentication. This might include all Windows and Linux-based systems, or a limited subset of your computers (i.e., servers or workstations). Also consider web applications, databases and any network host that allows or requires authentication via protocols such as Telnet, FTP, Secure Shell and Simple Network Management Protocol. Many commercial vulnerability scanners provide the ability to scan using various means. If authenticated vulnerability scanning is a common practice used by criminal hackers outside your network or users on the inside (and believe me, it is), then you need to be doing it as well.
- Decide what user role level (or levels) you want to scan with. I recommend scanning with administrator or root-equivalent credentials at least. You'll find the most flaws this way. However, by scanning with different user roles, such as a manager-level role or basic user role, you can get a better idea of what each user group can see and exploit. The more user roles you test with, the better your results -- to an extent. The law of diminishing returns will kick in at some point. You'll know when enough is enough when you see that your results are no longer varying by permissions.
- Set up the user accounts to be used for authenticated vulnerability scanning so it does not force a password change upon initial login (a common setting in Active Directory Group Policies and some web applications). If you forget this, the first time your scanner logs in it will be prompted to change the password, which, of course, it won't be able to do. You may be unaware that this has taken place and then proceed with the scan. Several minutes -- or more likely hours -- later you'll realize that authentication didn't work and you'll have to start over with your scans. With web vulnerability scanners, you will most likely have to create a login macro that you'll be able to test. For some reason, most network vulnerability scanners don't provide an option to test your login credentials before you start scanning.
- Authenticated vulnerability scanning of network hosts is fairly benign. That said, scanning can be problematic for production environments, especially when scanning web applications. Regardless of what you're scanning, CPU, disk and network cycles will be consumed, log files and databases can get filled up, user accounts can get locked out, and so on. I recommend running your authenticated scans on one or two systems at first to see what the side effects are going to be before branching out and scanning hundreds or thousands of systems.
- The security vulnerabilities uncovered during authenticated scans can be downright overwhelming, especially when viewing the results in a traditional PDF report. I've found that generating HTML or spreadsheet reports, sorted by vulnerability, is the best way to view the findings. When you sort your results by vulnerability, you'll save a ton of time by being able to see things more simply and clearly (i.e., which hosts or webpages are affected by each vulnerability). In addition, you can generate your final report or remediation plans more easily that way, rather than looking at one host at a time.
Doing authenticated vulnerability scanning the right way is similar to using a digital SLR camera to take photos. Anyone can own the tool, but it doesn't mean you know how to use it well, and there's no guarantee of positive results. The more you perform your authenticated scans, the more tricks you'll learn to make you more effective and efficient. Your ability to find vulnerabilities reliably in a shorter period of time will increase -- while your business risks are reduced. Everyone wins.