Vulnerability Scanners 101

Vulnerability scanning is not rocket science; anyone with the time in their hands to search for a software vulnerability scanner can find one in mere seconds. With the way the Internet has grown for at least two decades, the more bad actors enter the system. Armed with the motivation of profiting from an open undiscovered vulnerability in mainstream software people and companies, cybercriminals continue their research and development to bypass current solutions of increasing IT security.

Software developers are trying all types of development methodology to close the vulnerabilities of their creation. This is through beta testing, they sign-up actual real users of their software as testers. This brought the substantial speed of updates containing critical patches that plug the holes, stopping the possibility of the software being used for exploits.

Companies and interested individuals can use vulnerability scanning software against their own IT infrastructure, as part of the cybersecurity defense internal audit. It will be good for the operators of a mission-critical system to find out the vulnerabilities they used to unaware of. Not everyone that discovers a vulnerability reports the issue to the developer, some of them even keep it to themselves for use in a future breach.

Here are some of the well-known vulnerability scanning apps available for download:

• Netsparker
• Acunetix
• Burp Intruder
• OpenVAS
• Nexpose Community
• Nikto
• Tripwire IP360
• Wireshark
• Aircrack
• Nessus Professional
• Retina CS Community
• Secunia Personal Software Inspector

These currently available tools generally give few clues as to how attackers might actually exploit combinations of vulnerabilities among multiple hosts to advance an attack on a network. After separating true vulnerabilities from false alarms, the security analyst is still left with just a set of known vulnerabilities. It can be difficult even for experienced analysts to recognize how an attacker might combine individual vulnerabilities to seriously compromise a network. For larger networks, the number of possible vulnerability combinations to consider can be overwhelming.

With network hardening, it is also necessary to distinguish between two types of network security conditions. One type appears only as exploit preconditions. The only way that such conditions can be true is if they are true in the initial network conditions since they are post-conditions of no exploit. These initial conditions are precisely the ones we must consider for network-hardening measures. The other type of condition appears as both exploit preconditions and postconditions. We can safely disregard such conditions for network hardening since attacker exploits can potentially make them true despite our hardening measures.

Many vulnerabilities are local, while are also not exploitable or detectable over a network. Processes are required to gather program-specific information from individual hosts, like those from host configuration files. For example, some trust relationship and group membership information are difficult to obtain remotely due to policies imposed in the system.

Attack paths can help network administrators determine the best way to harden their networks. To ensure complete security, all attack paths must be accounted for. Some approaches in the literature do not report all paths, while other approaches explicitly enumerate all of them. For scalability, what is needed is a representation that allows the implicit analysis of all possible attack paths without explicitly enumerating them.