Ruslan Rakhmetov, Security Vision
Table of contents
1. Introduction
2. Methods and technologies
3. Recommendations for implementation and use
4. Frequently Asked Questions (FAQ)
1. Introduction
In the last article, we talked about how network scanning works and how it differs from vulnerability scanning, mentioned ports and services, authenticated and unauthorized methods, different scanning modes and aggressiveness. In the current article, we will focus on the technological aspect. Modern web applications (such as your online banking or corporate portal) are not standard rooms (IT assets from a previous review), but complex, custom-made mechanisms inside the fortress, so special diagnostic methods are required to verify them.
Most often, applications are like a unique, hand-assembled car, so there are three ways to check them:
- SAST (Static Application Security Testing), static testing. It's like a mechanical engineer studying the blueprints of a car (source code) even before the first part is made. This way, he can notice design flaws, weak materials, or calculation errors right on paper, and it's very cheap to find and fix problems at this stage. However, an engineer may raise the alarm due to a feature of the drawing that would not actually create any problem (this is called a "false alarm"). This scan works as a "white box" in the vulnerability scanner.
- DAST (Dynamic Application Security Testing), or dynamic testing. It's like the work of a crash test dummy, when you take a fully assembled, working car and check it from the outside: smash it into a wall, spray it with a water hose, try to open the doors. You don't know how the engine works, you just record what happens when exposed to external influences. This method is great at finding real, exploitable problems (for example, that the door easily falls off on impact), but it is used in the late stages, and when something breaks, you do not always immediately understand why it happened. This is the "black box" approach in the scanner.
- There is also interactive testing, IAST (Interactive Application Security Testing). This is the most advanced test when you install sensors inside the engine, on the suspension and in the car interior, while the crash test dummy controls it. When a failure occurs, the internal sensors instantly tell you which part broke, at what pressure, and for what reason. This is a gray box approach.
And now we will tell you about these dummies and sensors.
2. Methods and technologies
To ensure that all network requests, responses, and data move in an orderly and lossless manner, a reliable system of rules is needed. This role is performed by the TCP/IP protocol stack (Transmission Control Protocol/Internet Protocol), a fundamental set of rules by which the entire Internet operates. Let's imagine it as the internal postal service of our fortress.
- IP (Internet Protocol), as the postman, who is responsible for addressing, looks at the envelope and makes sure that the room number (IP address) and the mail slot number (port) are correctly indicated on it. His task is to deliver the envelope to the correct address.
- TCP (Transmission Control Protocol), as a meticulous clerk responsible for the reliability of delivery. If you need to send a long letter of ten pages, he will number each page, send them one at a time (in batches), wait for confirmation from the recipient, and if any page is lost, send it again (to preserve the integrity and availability of data).
It is thanks to TCP that we can be sure that the file we download or the web page we open will reach us completely and without distortion. This reliable system underpins all scanning operations, allowing you to accurately send requests and analyze responses.
Nmap (Network Mapper) is a fundamental, free, open source tool for detecting devices on a network and scanning ports. This is the first thing that is used to create the "floor plan" of our fortress. It is incredibly flexible and powerful, and can perform dozens of different types of scans: from a simple "Is anyone in this room?" (ping sweep) to complex checks that identify the operating system on a remote computer (OS detection) or the version of the service on an open port. This is an indispensable multitool for a security guard, which includes a rangefinder for drawing up a plan, a set of lock picks for checking locks, and a magnifying glass for examining door signs.
There are also specialized vulnerability scanners, such as Security Vision VS. Their task is to take a map created by a tool like Nmap and methodically check each asset on the network for compliance with a huge database of known vulnerabilities. These are specialized inspection kits that the guard uses after the initial inspection. They contain detailed catalogs of all known models of defective locks (CVE, Common Vulnerabilities and Exposures databases), tools for checking them, and a system for creating a priority report indicating which locks require immediate replacement.
The CVE we mentioned above is a unique identifier for each known vulnerability. Imagine that there is a LockMaster Pro Series 1 lock model in the world that has a factory defect. CVE is a universal "article" for this marriage, for example, CVE-2021-44228. When security guards in different countries of the world talk about this vulnerability, they use its CVE number, and everyone understands exactly which defective lock they are talking about. This is a general dictionary of vulnerabilities. We talked about this framework earlier, along with CVSS (Common Vulnerability Scoring System), so we won't delve into the specifics in the current review.
In addition to sensors and assessment methods, vulnerability detection can be performed in two ways: with or without agents.
If a software "agent" is installed on the device (computer, server), then it works as if each member of your family had a personal miniature robot doctor who is constantly with him, measures temperature, monitors pulse and immediately reports any problems. This method provides very deep and constant real-time monitoring (the "Doctor" sees all internal processes, installed programs and files, which allows you to find vulnerabilities with maximum accuracy), but installing and updating such "doctors" on each device requires time and effort. In addition, they consume the resources of the device itself (memory, processor), which can slow down its operation a little. It is impossible to install such a "doctor" on some devices, for example, on a network printer, so the agentless search option is more suitable there.
Agentless scanning does not require the installation of any software on the devices. Instead, the scanner works remotely, connecting to devices over a network to collect the necessary information. This can be compared to a doctor who comes to your home for a routine checkup: he does not live with you, but only periodically comes in, asks questions (sends network requests) and examines you to assess your health (conducts a security analysis, looks for vulnerabilities). This approach is very easy and fast to deploy, because you do not need to install anything on hundreds of computers, it does not affect device performance and can cover the entire network. But such an "inspection" occurs periodically, not constantly, so it gives a "snapshot" of the state at a certain point in time, rather than a continuous picture (therefore, it is important to either monitor the execution of this cycle or automate it, as we like).
Most often, companies find a compromise between depth and accuracy (agent) and breadth and ease of deployment (agentless method) and use both approaches simultaneously for the best result.
3. Recommendations for implementation and use
Since we are talking about achieving the best results, we will share with you tips on how to build this process. In order for the security system to work effectively and not create chaos, it is necessary to follow proven practices.:
Patrol planning (frequency and schedule)
As we have already said, scanning is not a one–time event, but an ongoing process, the frequency and time of which must be planned strategically to ensure maximum coverage and not interfere with the main work of the company. A good security chief does not force his guards to check every door in the fortress every five minutes (this would be inefficient and would annoy the staff), instead he creates a smart schedule:
- The server room with critical data is checked daily, possibly at night, so as not to create a load.
- Workstations of regular employees are scanned weekly, but only during business hours, when they are guaranteed to be on.
- The outer perimeter (fortress walls) is fully inspected once a month.
- Noisy and potentially disruptive tests (aggressive active scanning) are planned for weekends or holidays so as not to affect business processes.
Risk of false alarms (False Positives and False Negatives)
No scanner is perfect, and there may be two types of errors in its reports:
- False Positive, when the scanner reports a problem that does not actually exist. It's as if the motion sensor in the hallway was triggered by a gust of wind from the air conditioner. If there are too many such false alarms, the guards will start ignoring the signals, and eventually miss the real threat.
- False Negative, when the scanner does not notice a real problem. Imagine that an experienced thief sneaked past the camera without causing an alarm – this is the most dangerous scenario. It creates a false sense of security, while the real threat is already inside and remains unnoticed.
The task of specialists is to properly configure scanners and analyze their results in order to minimize both types of errors, and you can also use various tools to automatically calculate and reduce such errors (such as, for example, a multiscanner that supports simultaneous operation of any number of scanners with processing of all results in a single SV VS interface).
From report to repair (vulnerability management lifecycle)
A mature security program follows a clear lifecycle that ensures that problems are not only found, but also fixed. This process is very similar to health care, in which there is:
- Detection (Diagnosis), as a complete examination of the body using MRI and blood tests. As a result, you get a list of all potential health problems (and in the case of IT systems, a list of all detected vulnerabilities). It is better when problems are handled by a specialized doctor who takes into account the characteristics of the patient and his organ systems, as does the resource-service model for IT assets and business processes.
- Prioritization (Triage), when the doctor (security team) examines the results. Slightly elevated cholesterol is a cause for concern, but critical vascular blockage requires immediate intervention. Therefore, vulnerability assessment takes into account CVSS and the importance of the asset (which can, for example, be managed through matrices and decision trees in Security Vision modules).
- Elimination (Treatment), the process of correcting the problem itself: installing a patch (taking medication), changing the configuration (changing the diet) or decommissioning the system (surgery). In the SV VM module, such treatment can be performed automatically (autopatching with the installation of updates without human intervention).
- Check (Reanalysis), when after a course of treatment, the doctor prescribes repeated tests to make sure that the problem is solved. In cybersecurity, this means re-scanning the system to confirm that the vulnerability is indeed closed, and in our scanner, re-scanning can automatically close the tasks of specialists.
Response automation (SOAR role)
In a large organization, the number of alerts from scanners can reach thousands per day, it is impossible to process them manually, and SOAR class platforms (Security Orchestration, Automation, and Response) come to the rescue. The SOAR platform, such as Security Vision, is a central, AI–controlled fortress security command center. Of course, SOAR is focused mainly on incident management, but its integration into the ecosystem allows for synergy.
Creating requests for the repair team (IT department), temporarily locking electronic locks in the entire corridor (isolating the system in the network), downloading CCTV footage from this area (collecting additional data about the incident in its vicinity) and generating a full incident report – all this happens in seconds, reducing the reaction time from hours to moments and freeing up human analysts to solve more complex and creative tasks.
4. Frequently Asked Questions (FAQ)
Is it legal to conduct network scanning?
It is absolutely legal to scan networks and systems that belong to you or that you have explicit written permission to scan. However, scanning someone else's network without permission is illegal and is considered a criminal offense in many countries. Always act within the law and ethical standards.
What is the best tool to start a small business with?
For easy mapping of your network and understanding which devices are connected to it, Nmap is a powerful and free starting point. For small companies that need an easy–to-use solution with professional support, the best investment may be to purchase a box scanner (for example, Nessus or SV VS Basic). And an Enterprise solution is suitable for large companies.
How often do I need to scan our network?
It depends on the type and criticality of the asset. Critical systems accessible from the Internet (such as your website) should be scanned daily or weekly, internal servers can be scanned weekly or monthly, and workstations can be scanned as needed, but regularly. The key point is to create a scan schedule based on an assessment of risks and potential impact on the business (as we do in the resource-service model).
.jpg)
 2 - копия.jpg)
