Vulnerability Scans Are a Lot Like Eating Mushrooms

Each year in the US, over 5,000 people are poisoned by eating wild mushrooms. Many cases result in permanent damage to vital organs and in 2016, two fatalities were recorded (source: American Assoc. Poison Control Centers). Many of the victims were actually experienced in the identification of toxic species but still got caught out.

The differences between the deadly and the delicious are often subtle. It’s culinary Russian roulette, where the winner gets sautéed porcini and the loser ends up with kidney failure. In the cybersecurity world, testing for the existence of exploitable vulnerabilities is often just as inexact.

Vulnerability scanning is a security best practice dogged by compromises. We want to maximize security, so we should test for every known vulnerability? That makes sense until you realize there are currently over 112,000 CVEs listed in the US National Vulnerability Database.

The Common Vulnerabilities and Exposures (CVE), is the definitive list of known vulnerabilities. When a vulnerability is discovered, it must be verified as genuinely new, not simply existing in a different context. Once determined as unique, it is assigned to the CVE and given a reference ID. 

This number of CVEs results in scans lasting days which may not be workable for your environment. To avoid disruption of business services, many users will choose to run scans out of hours. How many devices can you test, and with how many tests, in the limited time-period allowed?

A partial solution to this problem is to first discover what is installed on the endpoint. Inventory established, any non-relevant tests can be skipped, focusing the scan precisely and reducing scan times. If you take your car in for repair, they don’t dismantle the engine then ask what the problem is.

To speed up the process further, there are other compromises to consider. One major factor is that scanner tests are split into those that use credentials and those that don’t.

A Credentialed Test allows the scanner to log into the device under test and execute commands using a privileged user account. You can probably guess what the Non-Credentialed Test does? These tests are performed externally, interacting with the device via the network without logging in.

  • Credentialed Test pros – more accurate results, wider range of tests performed, host-resident testing is often less resource intensive than non-credentialed test
  • Non-Credentialed Test pros – can be faster to execute, no credentials needed (obviously) so simpler to get results, arguably more ‘real world’ in simulating an attack

A good summary is that Non-Credentialed tests give quicker results, but are more likely to produce false positives.

Non-Credentialed tests attempt to second-guess the existence of vulnerabilities by interacting with the endpoint and interpreting the responses received. Compare this approach to say, directly inspecting the version of a suspect executable file, and it’s easy to see why false-positives are less likely when credentials are used.

For any single vulnerability, most scanners provide two versions of each test, allowing you to scan with or without credentials.

The reason why so many get it wrong with mushrooms is that the go/no go decision is based entirely on what the fungi look like. It may take the spontaneity out of eating a freshly-foraged breakfast, but you need to be sure that your identification is accurate. Good advice: Be less of a care-free, fun guy, and be more careful with fungi.

As for vulnerability testing, if you are expecting point-and-shoot technology with quick results and 100% accuracy, then you will need to re-think.  A balance is going to be required between a scan program that covers all systems with sufficient depth, but without impacting service delivery.

The highest risk endpoints will want the most thorough testing available, so credentialed scans are a must. For lower risk assets, you may choose to prioritize speed of scanning over accuracy, exactly where non-credentialed scans are more useful. The speed and ease of operation will come at the expense of more false positives and post-scan investigations to verify results.

Vulnerability scans are a core foundational security control, essential for all organizations, but make sure you always question what the tests are, and how they are being run. 

When it comes to mushrooms, out of all the tips and guides available, the golden rule to be completely safe is this - Only eat the ones found in grocery stores.

What’s Hot on Infosecurity Magazine?