eSecurity Planet may receive a commission from vendor links. Our recommendations are independent of any commissions, and we only recommend solutions we have personally used or researched and meet our standards for inclusion.

The powerful open-source tool Nmap scans the ports of network devices and probes website domains for known vulnerabilities. Since both internal security teams and malicious hackers can use Nmap, internal security teams should make sure to perform the scan first!

To become familiar with Nmap as a basic tool to detect basic vulnerabilities this article will cover:

• Getting Started with Nmap
• Nmap Vulnerability Scanning
• Vuln vs Vulners vs Vulscan
• How Do Attackers Use Nmap?
• Pros and Cons of Using Nmap
• Nmap Vulnerability Scanner Alternatives
• Bottom Line: Use Nmap for Inexpensive, Effective Vulnerability Scanning

Getting Started with Nmap

Nmap, or network map, provides open-source and free capabilities for auditing IT infrastructure, such as port scanning, host discovery, or device identification across a network. Both pen testers and threat actors use Nmap to collect information about their target, and Nmap has been recognized by CISA as an important free tool for network security.

Installing Nmap

Nmap began as a Linux utility, but it’s now available for all major operating systems, including Windows or macOS. Nmap comes pre-installed on several versions of Linux including Kali Linux. Other Linux systems users can use the command “apt-get install Nmap” to install it.

Users of all operating systems can download Nmap as well as the ZeNmap graphical user interface (GUI) front-end for Nmap. Those that prefer to use github can clone the official git repository using this command:

git clone https://github.com/Nmap/Nmap.git 

After installing Nmap, users can use the command line or ZeNmap to execute simple commands to map the local domain, scan ports on a host, and detect operating system versions running on hosts.

Many open source software packages have been infected with malware. To verify that the specific download of Nmap matches the intended contents, an organization can compare the download against the signature records maintained by Nmap.

Built-in Nmap Scripts

Running basic functions can be tedious. Users increase the capabilities of Nmap by running built-in Nmap scripts. These scripts should be periodically updated by running this command:

sudo Nmap --script-updatedb

An overview of basic commands and example scripts can be found in Nmap: Pen Testing Product Overview and Analysis.

Using Custom Nmap Scripts

Advanced users may prefer to combine multiple lines of instructions or more complex commands using the Python language and the Python-Nmap package.  Advanced users can also use the Nmap Scripting Engine (NSE) to enable network discovery, vulnerability detection (e.g., backdoor), and even specific exploits using the Lua programming language.  These scripts are .nse files and will typically contain comments for end users and code instructions for the machines.

Nmap Vulnerability Scanning

Nmap’s vulnerability scanning capabilities rely upon the vulnerability-detecting scripts categorized under “vuln” for vulnerability or custom scripts. Users can run built-in scripts individually or collectively using the “vuln” command. In addition, users can also download custom scripts such as Vulscan or Vulners.

As with any penetration testing or vulnerability scan, users must keep in mind that these invasive scans should only be performed with permission. Even scanning a system without permission could lead to attempts to impose fines or jail time depending upon the jurisdiction. For more information, a user can investigate regulations such as those found in the US (The Computer Fraud and Abuse Act), England (Computer Misuse Act 1990), India (Information Technology Act Sec. 43 and 66), Japan (The Act on the Prohibition of Unauthorised Computer Access), and many other countries.

Specific Nmap Vulnerability Scans

Nmap scripts contain well over 100 specific scans for vulnerabilities that can be run against domains or against specific host IP addresses. A comprehensive list of scanned vulnerabilities can be found on the Nmap website.

Application Scans: Run Nmap against a target domain (ex: esecurityplanet.com)  to check websites for vulnerabilities such as:

• http-csrf: Detect Cross-Site Request Forgery (CSRF) vulnerabilities by entering the command: Nmap -sV –script http-csrf <target domain>
• http-sherlock: Check if the “shellshock” vulnerability can be exploited in web applications by entering the command: Nmap -sV –script http-sherlock <target domain>

IT Host Scans: Run Nmap against a target IP address (ex: 166.96.06.4) to check for host vulnerabilities such as: 

• dns-update: Attempt to perform a dynamic domain name service (DNS) update without authentication by entering the command: Nmap -sU -p 53 –script=dns-update –script-args=dns-update.hostname=foo.example.com,dns-update.ip=192.0.2.1 <target IP address>
• smb-vuln-cve-2017-7494: Check if target IP address are vulnerable to the arbitrary shared library load vulnerability by using a script such as: Nmap –script smb-vuln-cve-2017-7494 -p 445 <target IP address>

Government advocated Nmap scripts will sometimes be released or promoted on official websites to help organizations address specific vulnerabilities. For example, the UK government maintains an open-source GitHub repository to help organizations scan networks for the Exim MTA vulnerability as part of the Scanning Made Easy project from the National Cyber Security Centre (NCSC) and its i100 industry partnership.

The repository provides a collection of officially promoted Nmap scripts to users, such as sysadmins, for detecting system vulnerabilities. The initial UK script focuses on the Exim message transfer agent (MTA) remote code execution vulnerabilities CVE-2020-28017 through CVE-2020-28026, also known as 21Nails.

The script contains information on:

• How it checks for the presence of the vulnerability
• Why the check is not intrusive
• Why there may be false positives and false negatives

How to Use Vuln

Nmap can scan a target domain or IP address for all vulnerabilities in the default script library for the “vuln” category with the appropriately named Vuln command:

sudo Nmap --script vuln <target domain or IP Address> -v

Note that the command may require “sudo” in Linux to run the command as a super user or as the Linux equivalent of an administrator. In most cases, elevated privileges will be required to run the more invasive and probing commands for Nmap. The -v, or verbosity, flag will provide extensive information about the tests run and their results.

Running these commands can be dangerous because of invasive and disruptive aspects of specific vulnerability scans. Instead of simply obtaining information, certain scans attempt to verify a vulnerability by attempting to exploit the vulnerability. In some cases, a successful exploitation will result in changes to the service or even crashing the service, website, or operating system.

A subset of the vulnerability scans can be performed using wildcards or asterisks (*) to run multiple scripts with similar names simultaneously. For example, adding the wildcard after the http command (http*) will run all vulnerability scans that start with “http” against a targeted domain.

When using any of the bulk scans, the results can become overwhelming and some users will want to exclude low CVSS score vulnerabilities. To only show vulnerabilities within a certain range add the following flag to the command where “x.x” is the CVSS score (ex: 6.5).

--script-args=mincvss=x.x

The complete command to exclude vulnerabilities below 6.5 would be:

Nmap --script vuln --script-args mincvss=6.5 <target>

Results of the scan can be exported in various file formats by adding flags followed by the file name in the command. This export will make it easier to share information or make the vulnerabilities available for other software.

Two common examples of the complete command are:

• XML File: Nmap –script vuln -oX file.xml <target>
• Browser Friendly XML File: Nmap –script vuln –webxml -oX file.xml <target>

Of course, the basic set of vulnerability scans may not be sufficient for some users because it only examines a limited, although important, set of vulnerabilities. Advanced users may download custom scripts such as Vulscan or Vulners to access a larger database of vulnerabilities.

How to Use Vulscan

To use the NSE script Vulscan, a user must first clone the software from the github repository using the git command:

sudo git clone https://github.com/scipag/vulscan

The user may need to make a soft link to the NSE scripts directory by executing the following command:

sudo ln -s pwd /scipag_vulscan /usr/share/Nmap/scripts/vulscan

In this case, /usr/share/Nmap/scripts/vulscan is the presumed directory for Nmap scripts on the user’s machine, but this directory may be adjusted as necessary. Once the directory is known to Nmap, Vulscan is available to be called by the –script flag to run additional vulnerability checks using the following syntax:

sudo Nmap -sV --script=vulscan/vulscan.nse <target IP address or host name>

Vulscan can be run to detect IT vulnerabilities against an IP address in the network or software vulnerabilities against a host name (ex: esecurityplanet.com). Vulscan will run non-invasive tests for all applicable vulnerabilities against the target. The results will display the port followed by limited information on the specific CVEs discovered.

How to Use Vulners

Vulners will typically be included in the standard Nmap NSE scripts, but a user can also clone the NSE script for Vulners from its github repository using the git command:

sudo git clone https://github.com/vulnersCom/Nmap-vulners.git /usr/share/Nmap/scripts/vulners

The file directory /usr/share/Nmap/scripts/vulscan is the presumed directory for Nmap scripts on the user’s machine, but this directory may be adjusted as necessary. Once cloned, Vulners is available to be called by the –script flag using the following syntax:

sudo Nmap -sV --script Nmap-vulners/vulners.nse <target host or IP address>

Users can target specific ports on an IP address by adding -p<#> (ex: -p80 to target port 80) at the end of the command line. The results will display the discovered CVEs and will link to the Vulners website for more information.

Vuln vs Vulners vs Vulscan

Vuln and Vulners are included in the basic NSE script database and will be updated when updating all scripts for Nmap. Vulscan is not included in the basic script set and must be downloaded and updated separately. 

Vulners sends common platform enumeration (CPE) information received from port scans to vulners.com using the site’s API to actively download the latest common vulnerabilities and exposures (CVE) information from the site’s database. Vulners also requires internet access to reach the external databases of vulnerabilities. 

This information sharing of vulnerabilities may not be appropriate for organizations deeply concerned about the secrecy of their environment. There is an option with Vulscan to use a local database, but this generally removes the advantage of using Vulscan’s fully updated database. 

Vuln and Vulscan do not send CPE information outside of the scanned organization and use locally stored vulnerability databases.

The advantage of sending the CPE information is that Vulners hosts a fully updated set of CVEs. Vuln only detects 150 top vulnerabilities for systems and Vulscan uses an offline copy of vulnerability databases.

Vuln can risk disruption because Vuln tests for the presence of some vulnerabilities by attempting to verify exploitation and disruption or corruption of that service. However, the active probing will increase confidence and reduce the chance of a false positive. 

Vulners and Vulscan avoid the risk of disruption because they do not attempt to verify or exploit vulnerabilities. The confidence in both of these tools depends upon the accuracy and precision of the detection capabilities of the specific version of Nmap. Both of these tools may also be confused by non-standard, custom, or patched builds of specific services, which may lead to more false positives.

Of the three tools, the Vuln category of scripts can immediately produce highly accurate scans for a limited set of important vulnerabilities. However, while the number of vulnerabilities is small, the in-depth probing of the vulnerability can take 3-4 times longer than Vulners or Vulscan.

While both of the manually downloaded vulnerability scanners will enjoy a much more extensive and robust selection of CVEs to detect, Vulners will typically be the most updated scan since IT teams may forget to manually update Vulscan databases. But for more secretive organizations that need to avoid releasing CPE information, Vulscan’s use of a local database may be the best choice among the Nmap options.

How Do Attackers Use Nmap?

Attackers use Nmap to scan large networks quickly by using raw IP packets to identify available hosts and services on the network and determine their vulnerabilities. Hackers and pen testers typically add specific options to cover their tracks.

Decoy scans add the -D option flag (Nmap -p 123 -D decoyIP targetIP), to hide the attacking IP address and send source-spoofed packets to the target in addition to the scanning machine packets. The additional packets make port scan detection harder for defenders.

Attackers can also run zombie scans, also known as idle scans. This side-channel attack attempts to send forged SYN packets to the target using the IP address of the “zombie” endpoint on the network. This method attempts to fool the intrusion detection system (IDS) into mistaking the innocent zombie computer for the attacker. A more thorough review of Nmap attacks can be found in the Nmap Ultimate Guide: Pentest Product Review and Analysis.

Do Host Systems Detect Nmap Scans?

SIEM tools, firewalls, and other defensive tools, can receive alerts from systems and the scanned system will log the successful TCP requests from the many Nmap port scans. More sophisticated IDS/IDP tools might also detect malformed TCP requests, such as the Nmap stealthy requests that do not complete a TCP connection. Disruptive scans that cause system or service failure will definitely be detected by systems as well as by affected users.

Pros and Cons of Using Nmap

Nmap provides powerful vulnerability capabilities and should be under consideration for use within most organizations. However, there are many reasons why Nmap is not used universally.

Pros: Reasons to Use Nmap

• Open source and free so great for hackers, students, and all organizations
• Quick scans provide a fast look at potential vulnerabilities
• Lightweight TCP scans do not consume enormous network bandwidth and can escape some network security tools
• A hacker preview for organizations checking their internal systems
• Scriptable scans enable an organization to create repeatable vulnerability scans usable by non-technical users and for hackers to embed Nmap commands and scans into malware

Cons: Reasons Not to Use Nmap

• Less user friendly than commercial tools with more advanced GUIs
• Easy to make mistakes with command line entries
• Lack of programmers in an organization’s IT staff to create custom scripts or understand Nmap scripts
• Less formal support than commercial tools
• Limited vulnerability scans through the basic vuln command

Nmap Vulnerability Scanner Alternatives

Nmap remains a popular tool among many, but it certainly is not the only vulnerability scanner available. Open-source vulnerability scanner options for applications include OSV-Scanner or OWASP Zed Attack Proxy (ZAP) and for infrastructure include CloudSploit or OpenVAS.

There are many commercially available vulnerability scanners as well. The best vulnerability scanners for applications or infrastructure include Invicti, Tenable.io, ManageEngine’s Vulnerability Manager Plus, as well as others listed below:

Bottom Line: Use Nmap for Inexpensive, Effective Vulnerability Scanning

Nmap provides a no-cost option to detect vulnerabilities, double-check the results of commercial vulnerability scanners, or provide an effective sneak peek at the way a hacker might view opportunities in the organization’s infrastructure. Everyone, even an organization selecting to use a commercial vulnerability scanner, should consider using Nmap as a vulnerability scanning tool in their arsenal.

Read next: 

• Top Vulnerability Management Tools
• The 8 Best Vulnerability Scanner Tools for 2023
• 10 Best Open-Source Vulnerability Assessment Tools for 2023
• Nmap: Pen Testing Product Overview and Analysis

This article was originally written by Julien Maury on February 8, 2022 and revised by Chad Kime on July 14, 2023.

The post How To Use Nmap for Vulnerability Scanning: Complete Tutorial appeared first on eSecurityPlanet.

This guide to zero trust and IAM breaks down these terms, why they’re important, and how they might work together in IT environments. We’ll look at Kolide — this article’s sponsor and a provider of device trust solutions — as one way to increase trust in users accessing applications and IT systems.

Understanding Zero Trust and IAM

To understand how zero trust and IAM can work together, it’s best to understand how they work on their own.

• Zero trust is an approach to infrastructure security that never automatically trusts a user before verifying their identity and authorization. Zero trust also doesn’t restrict security to the network perimeter, since plenty of threats can slip through a firewall and move laterally through an organization’s network. Stopping lateral movement and attack escalation is one of the key benefits of zero trust.
• IAM manages both users’ identities and their rights to access company applications and other systems. An IAM tool compares access attempts against stored credentials to determine if a user is who they say they are. It then provides access according to predefined access policies.

Zero trust only permits a user or device once it has proven itself compliant with all of an enterprise’s predefined policies. IAM enforces identity and access management policies. Basically, IAM is a component of zero trust security, but it isn’t everything. The two are not interchangeable, but IAM helps organizations standardize and verify user identities.

Keep in mind that zero trust cannot be achieved by purchasing a single product, and it takes time to implement a comprehensive architecture. However, some vendors offer pieces of the zero trust puzzle, helping employees achieve compliance with their organization’s security goals.

Read more about the challenges of zero trust.

Adding Zero Trust to IAM

To implement zero trust concepts within your company’s identity and access management, your IT and security teams must rethink each sector of your IT infrastructure. Examples include network access controls, biometrics, and device security.

While no single vendor can give your business an all-encompassing zero trust solution, there are providers who offer specific products to address facets of zero trust. Kolide is one such provider. It’s a security tool that integrates with Okta and focuses on the device part of zero trust. Just because a business decides to trust a device doesn’t mean it’s trustworthy. Kolide authenticates devices as they log into Okta. If a given device doesn’t meet a certain set of activated policies, the device is blocked.

Typically, a zero trust architecture gives IT teams hiccups because every blocked device or user, every set of failed credentials that possibly indicates a breach, must then be routed through them. This often looks like a deluge of support tickets that IT admins must manually sort through. Kolide decreases the manual load on IT teams by providing self-service options for users when a device is blocked.

A security or IT team member has already set a policy to block any devices with insecure browsers. When a user tries to log into Okta and pass the Kolide verification, they’re blocked because their Google Chrome is out of date.

Kolide is designed to help user devices become compliant and to reduce the manual burden on IT teams. Therefore, users aren’t just hung out to dry when their device is blocked. Instead, they have the immediate option to fix the issue. Kolide provides a list of remediation instructions, which users can access simply by clicking the “Details” button (screenshot below).

Rather than immediately blocking devices without providing further information, Kolide is intended to show users how to make their devices compliant. If the device is the problem and the issue isn’t identified and fixed, users will continue running into roadblocks when they attempt to access necessary applications. But with software that educates users and tells them why a device has been blocked, employees are able to more quickly solve expired licenses or software updates. And by self-servicing the problem, users reduce the load on IT teams.

By focusing on device vulnerabilities, Kolide can identify issues like Mac computers with bad batteries and Microsoft product installations with falsified or expired licenses. Some of these might just be an update that fell through the cracks, but some could be an unauthorized user from outside the organization.

Kolide specifically focuses on the devices attempting to access business services. While a user’s identity might be verifiable, their device’s security could have vulnerabilities or might already be compromised. Kolide doesn’t automatically trust devices until they demonstrate compliance with its policies, which users can configure in accordance with their business’s security strategy.

Going Beyond Identity Management

Although IAM plays a critical role in security infrastructure, its drawback is limited focus, according to Nick Fitzsimmons, VP of Marketing at Kolide. IAM mainly just verifies the user’s identity.

“But that’s only half the battle,” Fitzsimmons said. “A legitimate user can still do a lot of damage if their device is infected with malware. What makes Kolide different from those tools, and other endpoint security tools, is that we can check virtually anything about a device’s posture, and restrict access based on that.”

Additionally, all users must have Kolide on their phone or laptop to authenticate their connection. Threat actors aren’t able to use stolen credentials to log into applications using Kolide.

Compliance-based device authorization is just one example of developing zero trust strategies within a business IT system. Integrating “never trust, always verify” policies within your identity and access management solution — in this case, Okta — helps teams avoid issues that standard IAM might not be able to solve.

Zero trust applies to every sector of your IT infrastructure. It’s not a set-and-forget solution, but it gives businesses a clearer view of their user and device access attempts and the vulnerabilities that plague them.

Learn more about implementing a zero trust infrastructure.

Zero Trust Builds a Granular Security Infrastructure

In cybersecurity, granularity simply means detail and specificity. In other words, can our organization build such specific policies, unique to our needs and security requirements, that we successfully protect our applications and data?

Zero trust builds additional context for identity and access management. For example, Kolide’s approach to policy customization lets teams create very specific rules. Kolide then has context for users’ devices, can determine whether that device complies with predetermined policies, and can block a device if it seems to pose a threat. This is all based on the access criteria that’s important to an individual organization. Zero trust should be customizable.

According to Fitzsimmons, there are two major challenges for businesses to develop zero trust within an existing IAM framework. “The first is that they need to provide real-time device posture at the point of authentication that can align with industry standards and internal policies,” Fitzsimmons said. “This has to be cross-platform and able to go deeper than the basics like hard drive encryption and firewall status.

“The second is that they can’t simply leave users blocked without the context and agency to unblock themselves. This creates the IT bottleneck that often leads to failed Zero Trust implementations.”

It’s critical for users to take on some responsibility for the role they play in zero trust, not least because that helps IT teams focus on their roles within the organization.

Is a granular security infrastructure difficult to implement? It can be. IT and security teams aren’t always used to this level of detail. And zero trust is a relatively new approach to cybersecurity. But it’s worthwhile, especially for enterprises that want to take their protective measures into their own hands.

Bottom Line: Zero Trust and IAM for Enterprises

Keep in mind that device compliance is only one aspect of zero trust. To compile a full zero trust architecture, your organization will have to strategically choose solutions that address zero trust and IAM, integrate well with each other, and make sense for your security requirements. A financial services firm will have different security policies than a locally based nonprofit. However, they can both benefit from a zero trust approach to identity management — it just might look different.

Don’t be discouraged if it takes your IT and security teams a significant amount of time to deploy zero trust concepts, even if you already use an IAM solution. IAM is just one component of zero trust, but it’s a good start. Tools like Kolide can help businesses develop a comprehensive security infrastructure, but don’t be afraid when that process takes time. It’s still one of the best choices you can make for your business’s overall cyber protection.

The post How to Enhance IAM by Adding Layers of Zero Trust appeared first on eSecurityPlanet.

In this article, we’ll delve into various types of vulnerability scans, explore their benefits, outline the ideal scenarios for running each type, and list the best vulnerability scanning tool to use for each type of scan. By understanding these distinctions, you can improve your overall cybersecurity defenses and harden your systems against potential threats.

See The Best Vulnerability Scanner Tools

Jump ahead to:

• Host-based Scanning
• Port Scanning
• Web Application Vulnerability Scanning
• Network Vulnerability Scanning
• Database Scanning
• Source Code Scanning
• Cloud Vulnerability Scanning
• Internal Scanning
• External Scanning
• Assessment Scanning
• Discovery Scanning
• Compliance Scanning
• What’s the Difference Between Authenticated & Unauthenticated Vulnerability Scans?
• Choosing Which Type of Vulnerability Scan to Run
• Bottom Line: Types of Vulnerability Scans

Host-based Scans

Host-based vulnerability scanning is aimed at evaluating vulnerabilities on specific hosts within an organization’s network. These scans can be agent server-based, in which an agent is deployed on the target host; agentless, in which no agent is required; or standalone, in which the scanning capabilities are self-contained.

• Agent-Server: The scanner installs agent software on the target host in an agent-server architecture. The agent gathers information and connects with a central server, which manages and analyzes vulnerability data. The agent does the vulnerability scan and sends the results to a central server for analysis and remediation. In general, agents collect data in real time and transmit it to a central management system. One disadvantage of agent-server scanning is that the agents are bound to specific operating systems.
• Agentless: Agentless scanners do not require any software to be installed on the target machine. Instead, they collect information through network protocols and remote interactions. To centrally launch vulnerability scans or establish an automatic schedule, this approach requires administrator-credentialed access. Agentless scanning does not require the same operating system-specific requirements as agents. This allows for the scanning of more network-connected systems and resources, but the evaluations require consistent network connectivity and may not be as thorough as with agents.
• Standalone: Standalone scanners are self-contained applications that run on the system being scanned. They examine the host’s system and apps for weaknesses. This scan does not use any network connections and is the most time-consuming of the host-based vulnerability scans. It is necessary to install a scanner on each host that will be checked. Most enterprises that manage hundreds, if not thousands, of endpoints will discover that standalone tools are not practical.

Benefits of Host-based Scans

• Identifies vulnerabilities in the operating system, software, and settings of the host
• Provides visibility into the security status of specific network hosts
• Assists with patch management and quick vulnerability repair
• Aids in the detection of illegal program installs or modifications to settings
• Contributes to the overall security of hosts by minimizing the attack surface

When to Run a Host-based Scan

• When thorough information on the host’s setup, patches, and software is necessary 
• When assessing the security of individual network systems or servers, and organizations with a complicated network infrastructure with a high number of individual hosts

Best Tool to Use

Tenable Vulnerability Management (formerly Tenable.io) provides enterprises with a comprehensive and fast solution for assessing vulnerabilities at the host level. Tenable.io’s host-based scanning works by deploying lightweight software agents on specific hosts throughout the network. These agents gather data on the host’s operating system, installed software, settings, and other pertinent information. This data is subsequently transmitted to the Tenable.io platform for analysis and vulnerability assessment.

Tenable.io is a popular option for enterprises looking for comprehensive host-based scanning solutions due to its agent-based approach, continuous monitoring, asset management features, integration capabilities, and vast vulnerability knowledgebase.

Pricing: Tenable Vulnerability Management costs $2,275 a year for 65 assets, with discounts for multi-year contracts.

Port Scans

Port scanning sends network queries to different ports on a target device or network. The scanner detects which ports are open, closed, or filtered by analyzing the results. Open ports may suggest possible vulnerabilities or network-accessible services.

Benefits of Port Scanning

• Detects open ports and services on target computers, revealing potential attack vectors
• Identifies misconfigurations and services that may be exposed to exploitation
• Assists in network mapping and understanding the network infrastructure’s topology
• Detects illegitimate or unfamiliar services on network devices
• Closes unnecessary open ports and services to help with security hardening

When to Run a Port Scan

• When businesses want to know how vulnerable their network is to outside attacks
• Useful for locating open ports, services, and other points of entry that attackers may use
• It is advised as the first step in evaluating the security of network equipment and systems

Best Tool to Use for Port Scans

Nmap Security Scanner communicates directly with the host’s operating system to collect information on open ports and services, after which it applies techniques such as TCP connect scanning, SYN scanning, UDP scanning, and more. Each approach employs a different strategy to ascertain the state of the target ports (open, closed, or filtered).

Because of its versatility, extensive features, active development, scripting support, and cross-platform compatibility, Nmap’s host-based scanning for port scans is highly respected. These features make Nmap a popular port scanning tool among network administrators, security experts, and amateurs.

Nmap is free and open source for end users, but there’s also a paid license for OEM redistribution.

Also read: Nmap Vulnerability Scanning Made Easy: Tutorial

Web Application Scans

Web application scanners are used to identify vulnerabilities in web applications. These scanners frequently probe software to map its structure and discover potential attack vectors. These scanners automate the process of scanning web applications, evaluating the application’s code, configuration, and functioning to find security flaws. Web application scanners simulate many attack scenarios to discover common vulnerabilities, such as cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), and weak authentication systems. They utilize techniques such as crawling the application to identify all available pages, sending input data to forms, and reviewing server responses for potential vulnerabilities. Web app canners typically use predefined vulnerability signatures or patterns to detect existing vulnerabilities.

Benefits of Web Application Scans

• Detects web application-specific vulnerabilities such as SQL injection, XSS, and insecure authentication
• Aids in the discovery of security holes that might result in unauthorized data access or alteration
• Assists in maintaining compliance with standards and regulations
• By detecting code flaws and vulnerabilities in online applications, it contributes to secure development standards
• Reduces the likelihood of breaches and safeguards critical user data

When to Run a Web Application Scan

• Ideal for use by organizations with web apps, websites, or other online services
• When reviewing the security of online applications and finding vulnerabilities such as XSS, SQL injection, or improper authentication
• For web-based systems, it’s recommended throughout the development phase or as part of ongoing security audits

Best Tool to Use

Invicti applies an automated scanning technique to identify vulnerabilities in web applications. It discovers and evaluates all aspects of an online application, including its pages, inputs, and functions, using a combination of crawling and scanning approaches. The scanning engine of Invicti can identify a wide range of online application vulnerabilities, such as SQL injection, XSS, and remote code execution, among others. 

The platform’s automated scanning, deep scanning capabilities, business logic testing, and powerful reporting capabilities make it a top choice for enterprises looking for dependable and quick web application security evaluations.

Invict does not publish pricing information, but the price for each plan can be obtained by contacting the vendor.

Also read:

• Best DevOps, Website, and Application Vulnerability Scanning Tools
• Top Web Application Firewalls (WAF)

Network Vulnerability Scans

Network vulnerability scanners detect vulnerabilities by scanning for known flaws, incorrect settings, and out-of-date software versions. To find vulnerabilities throughout the network, these scanners frequently use techniques such as port scanning, network mapping, and service identification. It also examines network infrastructure, including routers, switches, firewalls, and other devices.

Benefits of Network Vulnerability Scanning

• Detects flaws in network infrastructure components such as routers, switches, and firewalls
• Aids in the detection of misconfigurations, insufficient encryption algorithms, and out-of-date software versions
• Aids in the maintenance of a secure and robust network environment
• Supports risk management and vulnerability prioritization based on criticality
• Assists in meeting security standards and regulatory obligations

When to Run a Network Vulnerability Scan

• When safeguarding the network perimeter, preventing illegal access, and evaluating network device security
• Appropriate for enterprises looking to analyze the overall security of their network architecture
• Effective for detecting vulnerabilities in network equipment
• Recommended as part of routine security evaluations or while making network upgrades

Best Tool to Use

Microsoft Defender for Endpoint (formerly known as Microsoft Defender Advanced Threat Protection) is gaining traction as a vulnerability management scanning tool, especially for remote work and work from home scenarios. Within its security suite, it provides complete network vulnerability detection capabilities and operates solely through agent-based deployment. Microsoft Defender for Endpoint captures and analyzes network traffic data, such as network flows, protocols, and communication patterns, by deploying network sensors.

Microsoft Defender for Endpoint offers a number of benefits for network vulnerability scanning. Features include seamless interaction with Microsoft threat intelligence, behavior-based detection techniques, endpoint protection correlation, and centralized management. These capabilities enable enterprises to discover and resolve network vulnerabilities proactively, strengthen their security posture, and reduce possible threats.

Microsoft offers a three-month free trial for users to test out Microsoft Defender for Endpoint. Additionally, the Microsoft 365 E5 subscription includes Microsoft Defender for Endpoint Plan P2, which costs $57 per user per month. Contact Microsoft sales for detailed price information on different plans.

See the Best Enterprise Vulnerability Scanners

Database Scans

Database scanners are used to evaluate the security of database systems. They examine database setup, access controls, and stored data for vulnerabilities such as insecure permissions, injection problems, or unsafe settings. These scanners frequently provide information for securing databases and safeguarding sensitive data.

Benefits of Database Scanning

• Detects database-specific vulnerabilities such as insufficient access controls, injection problems, and misconfigurations
• Aids in the protection of sensitive data from illegal access or disclosure
• Assists in ensuring that data protection rules are followed
• Improves performance by detecting database-related problems
• Improves overall database security and integrity

When to Run a Database Scan

• When evaluating database management systems (DBMS), safeguarding databases, and protecting sensitive data from unwanted access
• Useful for organizations that use databases to maintain sensitive information
• Useful for finding database-specific vulnerabilities, misconfigurations, and lax access constraints
• Recommended for enterprises that prioritize data storage security and must comply with industry laws

Best Tool to Use

Imperva’s Scuba Database Vulnerability Scanner can detect hidden security issues inside your databases that may be missed by routine monitoring or manual assessments. Scuba is intended to scan enterprise databases for potential security vulnerabilities and misconfigurations, such as in Oracle, Microsoft SQL Server, SAP Sybase, IBM DB2, and MySQL. Following the completion of the scan, Scuba provides information and solutions on how to fix the detected concerns. This then assists database administrators and security teams in efficiently prioritizing and mitigating threats. Scuba is available for a variety of operating systems, including Windows, Mac, and Linux (both x32 and x64).

One notable advantage of Scuba is that it is available as a free tool, making it accessible to businesses with limited budgets or those looking for a cost-effective alternative.

Also read: 7 Database Security Best Practices: Database Security Guide

Source Code Scans

Early in the development cycle, source code should be checked for security vulnerabilities to identify possible issues before they become too costly to fix. Source code scanners examine software applications’ source code for security flaws, coding mistakes, and vulnerabilities. They look for possible vulnerabilities such as input validation errors, improper coding practices, and known susceptible libraries in the codebase. During the software development lifecycle, source code scanners assist developers in identifying and correcting vulnerabilities.

Benefits of Source Code Scanning

• Detects security flaws and vulnerabilities in software application source code
• Helps in the detection and correction of code problems early in the development lifecycle
• Supports secure coding methods and industry standards conformance
• Assists in lowering the risk of application vulnerabilities
• Contributes to the overall security and reliability of software programs

When to Run a Source Code Scan

• Most appropriate for use during the software development lifecycle to ensure code quality and security, detect vulnerabilities in source code and prevent security issues in production
• Ideal for firms that develop their own software applications
• Useful for examining source code for vulnerabilities and potential security flaws

Best Tool to Use

Snyk scans the source code of software projects for potential vulnerabilities and security flaws. It examines the dependencies and libraries used in a project by scanning code sources, including Git repositories and package manifests. Snyk contains a large collection of security advisories and vulnerability information that is constantly updated, allowing it to reliably discover problematic dependencies. Snyk interfaces easily with CI/CD pipelines, enabling automatic security scanning throughout the software development lifecycle. It is compatible with common development tools and processes such as GitHub, Bitbucket, Jenkins, and others.

Snyk offers a free version with limited tests per month. Unlimited testing features can be availed in their Team plan starting at $52 per contributing developer per month.

See the Top Application Security Tools & Software

Cloud Vulnerability Scans

Cloud vulnerability scanners evaluate the security of cloud environments such as IaaS, PaaS, and SaaS installations. They offer insights and ideas for improving cloud deployment security. These scanners investigate cloud setups, access restrictions, and services to detect misconfigurations, poor security practices, and cloud-specific vulnerabilities.

Benefits of Cloud Vulnerability Scanning

• Identifies cloud-specific vulnerabilities such as misconfigurations, lax access constraints, and insecure services
• Assists in maintaining a secure and compliant cloud infrastructure
• Maintains visibility and control over cloud assets
• Implements cloud security best practices and regulatory requirements
• Lowers the likelihood of illegal access, data breaches, or cloud-related risks

When to Run a Cloud Vulnerability Scan

• When checking the security of cloud-based servers, storage, and applications, as well as assuring adequate cloud resource configuration
• Ideal for businesses that use cloud infrastructure and services
• Useful for evaluating the security of cloud resources, settings, and permissions
• Recommended for enterprises using cloud technologies to guarantee proper cloud configuration and administration

Best Tool to Use

Wiz is a cloud-native security platform that makes use of cloud-native technologies and APIs to enable seamless integration and comprehensive scanning capabilities. It was recognized as the second easiest-to-use vulnerability scanner platform on G2.

Wiz is optimized for cloud environments and has extensive features for cloud security. It is capable of handling large-scale cloud infrastructures, making it appropriate for enterprises with complicated and broad cloud installations. Wiz also automates vulnerability screening and provides continuous monitoring, allowing security teams to keep up with new threats and security issues in real time. These characteristics allow enterprises to effectively scan and monitor cloud resources, keeping up with changing cloud environments.

Wiz does not list pricing on their website but you may contact the vendor for a custom quotation.

Also read:

• Best Cloud Native Application Protection Platforms (CNAPP)
• Best Cloud, Container and Data Lake Vulnerability Scanning Tools

Internal Scans

Internal scans are designed to identify vulnerabilities in an organization’s internal network. They inspect systems, servers, workstations, and databases for security flaws that may lie within network borders. These scans are performed from within the network by looking for flaws such as privilege escalation vulnerabilities. Internal scans are particularly beneficial for mapping employee permissions and identifying potential weaknesses to an insider attack.

Benefits of Internal Scanning

• Identifies internal network vulnerabilities such as systems, servers, and workstations
• Maintains a secure internal environment and mitigates internal dangers
• Detects potential security flaws that might be exploited by insiders
• Helps enforce internal security rules and regulations
• Provides visibility into the internal network’s overall security posture

When to Run an Internal Scan

• To identify weaknesses that may not be apparent from the outside while examining the security of internal network infrastructure
• Useful for firms who wish to assess the security of their internal network
• Useful for finding internal infrastructure vulnerabilities and misconfigurations
• Recommended as a preventative strategy to address security concerns within an organization’s network perimeter

Best Tool to Use

OpenVAS is a popular open-source vulnerability scanner for internal vulnerability scanning. It locates and identifies the assets within your internal network that require scanning. It can detect all the devices and systems on an internal network by scanning a range of IP addresses or specified network segments. It then scans the scanned systems and devices for known vulnerabilities, misconfigurations, weak passwords, and other security concerns.

OpenVAS makes use of a large number of plugins, also known as Network Vulnerability Tests (NVTs), that are continuously updated. These plugins include tests for a variety of vulnerabilities, exploits, and security flaws. The plugins are used by OpenVAS to scan and analyze internal network components, discovering potential vulnerabilities and producing thorough reports.

OpenVAS also features configuration auditing tools and a capability to generate thorough reports following the scan that highlight the vulnerabilities and misconfigurations detected during the evaluation.

OpenVAS is a free open-source program.

See the Best Open-Source Vulnerability Scanners

External Scans

External scans identify vulnerabilities in an organization’s internet-facing assets. These scans target internet-accessible services, apps, portals, and websites to detect any flaws that external attackers may exploit. They examine all internet-facing assets, such as employee login pages, remote access ports, and business websites. These scans help companies understand their internet vulnerabilities and how they might be exploited to obtain access to their network.

Benefits of External Scanning

• Detects vulnerabilities in internet-facing components such as apps, websites, and portals
• Detects potential entry points for external attackers
• Helps maintain a secure perimeter and protection against external dangers
• Helps meet compliance requirements for external security evaluations
• Reduces the danger of unauthorized access, data breaches, or external-facing system exploitation

When to Run an External Scan

• Recommended when analyzing and blocking unwanted access to publicly accessible systems, websites, and network services
• Suitable for enterprises that need to assess the security of their network from the outside
• Useful for discovering vulnerabilities that external attackers may exploit
• Recommended to use as part of standard security evaluations or to meet external regulations or requirements

Best Tool to Use

Many vulnerability scanners are designed to just scan for internal vulnerabilities, but Rapidfire Vulnerability Scanner is built to search for both internal and external vulnerabilities.

Rapidfire focuses on identifying security flaws in systems and devices accessible from beyond a network’s perimeter. It searches for possible vulnerabilities in publicly available IP addresses, domains, and internet-facing assets. To find vulnerabilities, the scanner applies a number of approaches, including scans for missing patches, unsafe settings, weak passwords, known attacks, and other security flaws. It makes use of vulnerability databases and constantly updated signatures to ensure that vulnerabilities are correctly identified. Reports provide precise insights into vulnerabilities, allowing security teams to efficiently prioritize and resolve concerns.

RapidFire Tools doesn’t post pricing information, but interested customers may request a quote.

Read more: External vs Internal Vulnerability Scans: Difference Explained

Assessment Scans

Vulnerability assessments entail a thorough examination of a company’s systems, networks, applications, and infrastructure. These evaluations seek to identify vulnerabilities, evaluate risks, and make suggestions for risk mitigation. They can identify particular flaws or holes that might be exploited by attackers to undermine system security. Vulnerability assessment scans often comprise scanning the target environment using automated tools for known vulnerabilities, misconfigurations, weak passwords, and other security concerns. The scan results offer a full report on the vulnerabilities discovered, their severity, and potential consequences.

Benefits of Assessment Scanning

• Provides a thorough examination of vulnerabilities in systems, networks, and 
• applications
• Aids with assessing an organization’s overall security posture
• Prioritizes vulnerabilities based on severity and probable effect
• Assists in making educated judgments about risk reduction and remedial initiatives
• Helps meet security standards and regulatory obligations

When to Run an Assessment Scan

• Relevant for enterprises looking for a full assessment of their entire security posture
• Useful for doing comprehensive vulnerability assessments across many systems, networks, and applications
• Recommended on a regular basis or whenever a complete examination of an organization’s security is necessary

Best Tool to Use

Rapid7 Nexpose is a vulnerability management solution with extensive assessment scanning capabilities. It provides complete vulnerability assessments, risk prioritization, and remedy advice. Nexpose is well-known for its simplicity of use and interoperability with other security solutions. Users may undertake rapid evaluations of their environment and any security risks by sorting asset information.

Rapid7 offers both free and paid plans for Nexpose. Contact the vendor for specific pricing information.

Also read: 7 Steps of the Vulnerability Assessment Process Explained

Discovery Scans

While an assessment scan is focused on a specific system or network, a discovery scan is focused on the identification and inventorying of assets within a network environment. Its goal is to map the network and identify the devices, systems, applications, and services that exist on it.

A discovery scan’s primary goal is to offer an accurate and up-to-date inventory of assets, including IP addresses, operating systems, installed applications, and other pertinent information. It aids in the understanding of network topology, the detection of illegal devices or rogue systems, and asset management. Discovery scans are less invasive than vulnerability assessment scans and are used to obtain information about the network architecture.

Benefits of Discovery Scanning

• Helps manage overall risk and security governance
• Identifies and makes inventories of assets in the network environment
• Assists in maintaining visibility and control over an organization’s infrastructure
• Helps in the detection of illegal devices or rogue systems
• Assists in network management and understanding the range of vulnerability evaluations

When to Run a Discovery Scan

• Recommended when keeping an up-to-date list of connected devices, detecting illegal or rogue devices, and guaranteeing network visibility
• Suitable for enterprises that need to discover network-connected devices or systems
• Useful for network inventory management, detecting illegal devices, and monitoring network changes
• Recommended for use during the initial deployment of a vulnerability management program or as part of continuous network monitoring efforts

Best Tool to Use

Because of its user-friendly design and enhanced network mapping features, Zenmap, a graphical interface for Nmap, stands out as an outstanding option for doing network discovery scans.

Zenmap makes network scanning and viewing easier with a user-friendly design. Zenmap lets users save frequently used scans as profiles, allowing them to be performed repeatedly without the need for manual setup.

Users can construct Nmap command lines interactively using Zenmap’s command creator function. Zenmap maintains a searchable database that records scan findings, allowing for simple information access and retrieval.

Zenmap is a free open-source application.

See the Top IT Asset Management (ITAM) Tools for Security

Compliance Scanning

Compliance scans compare an organization’s systems and networks to regulations, standards, and best practices. These scans ensure that security policies and settings are in accordance with the appropriate compliance frameworks, assisting enterprises in meeting regulatory obligations.

Benefits of Compliance Scans

• Contribute to meeting regulatory and industry standards
• Identify vulnerabilities and flaws that might lead to compliance violations
• Assists with the deployment of security controls in order to achieve compliance
• Helps with paperwork and reporting for compliance audits
• Assists in the maintenance of a secure and compliant environment

When to Run a Compliance Scan

• Useful for assuring adherence to specific security needs and checking compliance with industry or regulatory norms
• When meeting compliance regulations such as PCI DSS, HIPAA, or GDPR

Best Tool to Use

OpenSCAP is an open-source platform that analyzes system security compliance and assures adherence to security standards. The scanner includes a comprehensive set of tools for scanning online applications, network infrastructure, databases, and hosts. Unlike other scanners, OpenSCAP compares the device to the SCAP standard rather than checking for Common Vulnerabilities and Exposures (CVEs).

To assess system compliance, OpenSCAP employs a mix of specified security content and scanning algorithms. It offers a security policy library known as SCAP (Security Content Automation Protocol) content, which comprises security baselines, configuration rules, and vulnerability tests. Compliance scans may be planned and done automatically using OpenSCAP’s automation features, minimizing manual work and enhancing operational efficiency.

OpenSCAP is a free, open-source project and is continually enhanced, updated, and evaluated by a diverse group of contributors, assuring the availability of current security material and continued development.

See the Top Governance, Risk and Compliance (GRC) Tools

What’s the Difference Between Authenticated & Unauthenticated Vulnerability Scans?

There are two primary approaches to vulnerability scanning: authenticated and unauthenticated scans. Here are key differences between the two.

• Authenticated Scans:
  • Allow users to log in to the target system or network using valid credentials
  • Provides a thorough evaluation of configuration, fixes, and software
  • With preset scan settings and credentials, tools such as Nmap, Nessus, or OpenVAS can be utilized
  • Accessing restricted regions provides more accurate and thorough findings
  • These tools are useful for doing detailed evaluations, finding misconfigurations, and ensuring compliance with security requirements
• Unauthenticated Scans:
  • Instead of relying on credentials, unauthenticated scans leverage external data and probes
  • Scan open ports, services, and online applications for vulnerabilities
  • Commonly used tools include Nmap, Nikto, and ZAP
  • Provides a quick and straightforward approach to find vulnerabilities
  • These tools are useful for doing broad assessments, assessing security posture, and finding exposed or vulnerable services

A thorough vulnerability scanning approach should include both authenticated and unauthenticated scans. This provides larger coverage and better insights on a system’s or network’s strengths and shortcomings. Comparing the outcomes of both categories aids in identifying disparities and areas that require more research or correction. Including both authorized and unauthenticated scans improves overall security awareness and preparation.

Also read: Penetration Testing vs Vulnerability Scanning: What’s the Difference?

Choosing Which Type of Vulnerability Scan to Run

• When evaluating vulnerabilities on specific hosts inside the network, use host-based scanning.
• When discovering open ports and services on network systems or devices, perform a port scan.
• When finding and resolving vulnerabilities in web applications, websites, and related services, do a web application vulnerability scan.
• Run a network vulnerability scan while evaluating an infrastructure’s overall security.
• Run a database scan to find issues with database settings and systems.
• Run source code scanning to look for any potential weaknesses in software programs.
• Run a cloud vulnerability scan to assess the security of cloud resources.
• When looking for internal vulnerabilities of a network environment, do an internal scan.
• Run an external scan to assess your vulnerabilities from outside the network.
• Run an assessment scan to obtain a thorough evaluation of the condition of your security.
• Run a discovery scanning procedure to learn what devices or systems are connected to the network.
• Run a compliance scan to ensure that a certain set of industry standards, rules, or laws is being followed.

Here are some guidelines for choosing a vulnerability scanning tool:

• The vulnerability scanner should ideally be simple to set up and use. It is essential to have a visual dashboard that clearly displays the location, nature, and severity of a detected threat.
• The scanner should be sufficiently automated and notify you of discovered vulnerabilities in real time.
• To eliminate false positives, it should validate an identified vulnerability. Reduced false positives are critical for avoiding time waste.
• The scanner must be able to present its findings with thorough analysis. Visual graphs are quite useful.
• Make sure available support options meet your needs.

Bottom Line: Types of Vulnerability Scans

Vulnerability scanning is a critically important part of cybersecurity risk management, allowing organizations to find and fix flaws in their systems, networks, and applications through a range of vulnerability scan types. To keep your systems and data safe, vulnerability scanning should be a component of a thorough vulnerability management program that includes frequent scans and timely repair of discovered vulnerabilities. Staying on top of vulnerabilities is as difficult as it is important and requires organizational commitment.

Read next:

• Top Vulnerability Management Tools
• Top Breach and Attack Simulation (BAS) Tools

The post 12 Types of Vulnerability Scans & When to Run Each appeared first on eSecurityPlanet.

So how can you tell if your organization is under a DDoS attack — rather than experiencing a viral surge in website traffic — and are there early warning signs that can help you respond to DDoS attacks faster?

If you’re experiencing a DDoS attack, see How to Stop DDoS Attacks in Three Stages.

What are Common Signs of a DDoS Attack?

If you suspect you might be experiencing a DDoS attack, there are a number of signs you can look for. Here are five of the most common signs of a DDoS attack:

1. Unexplained spikes in web traffic

One of the most common signs of a DDoS attack is an unexplained spike in web traffic. This can be detected by monitoring your website’s server logs or using a web analytics tool. If you see a sudden increase in traffic from a specific location or IP address, it may be an indication that your site is under attack.

2. Slow loading times for your website

Another common sign of a DDoS attack is slow loading times for your website. This is caused by the attacker flooding your server with requests, which can overload the system and cause it to slow down. If you notice that your site is taking longer than usual to load, it may be due to a DDoS attack.

3. Unexplained errors, timeouts, and complete inaccessibility

A DDoS attack may also be characterized by unexplained errors or timeouts. This happens when the attacker sends so many requests to your server that it can no longer handle them all, resulting in errors or timeouts for users trying to access your site, perhaps resulting in HTTP 503 Service Unavailable error codes. If you notice that users see errors or timeouts when trying to access your site, it may be due to a DDoS attack. In some cases, a DDoS attack can render your website completely inaccessible.

4. Decreased performance for other services on the same network

If you notice that other services on the same network as your website are experiencing a performance hit, it may be an indication that your site is under attack. This is because the attacker’s requests can consume all of the bandwidth on the network, causing other services to slow down or become unavailable.

5. Increased CPU or memory usage on your server

A surge in server CPU or memory usage may signal that your site is under attack. This happens because the attacker’s requests can consume all of the resources on your server, causing it to slow down or become unresponsive.

How Can You Tell If You’ve Been DDoSed?

Unfortunately, the typical signs mentioned above can also be caused by other issues, some of them good. For example, if you are experiencing a sudden spike in web traffic and your site is slow to load, it could be due to increased legitimate user traffic such as a marketing campaign going viral or a mention on a popular website or social media profile.

If your server is struggling to keep up with a surge in legitimate traffic, it can lead to increased CPU or memory usage and other errors.

So how can you be sure that you’ve been DDoSed?

Determining if Traffic is a DDoS Attack or Legitimate

Determining if traffic is a DDoS attack or legitimate can be tricky. However, DDoS protection platforms typically offer web analytics tools to help you identify whether or not the traffic is coming from a DDoS attack. These tools check to see if a specific traffic source continues to query a particular set of data long after the Time To Live (TTL) for a site has elapsed. This is the time frame you set for your site to discard held data and free up resources. If that’s the case, you’re likely looking at a DDoS attack, since a legitimate source would no longer be generating traffic at that point.

Popular DDoS Web Analytics Tools

Some popular DDoS web analytics tools include:

• CloudFlare Web Application Firewall
• Sucuri Website Firewall
• Azure Web Application Firewall
• AWS WAF
• Imperva

Early Warning Signs of a DDoS Attack

Having tools like web application firewalls and monitoring services in place are your best defense against a DDoS attack. They’ll be able to tell the difference between, say, a DDoS attacker probing your defenses with test traffic and something more benign, like a misconfigured load balancer that might be overwhelming your resources.

Being able to spot a DDoS attack as early as possible is critically important for an organization whose business depends on the availability of its website. There are a wide range of DDoS services to consider; see our guides to the Best DDoS Protection Services and the Best Bot Protection Solutions.

How Long Do DDoS Attacks Usually Last?

DDoS attacks can last anywhere from a few minutes to several days, depending on the complexity and intensity of the attack. In most cases, an attacker will use automated software to flood your site with requests until it becomes overloaded and stops responding.

While a typical DDoS attack can last 1-2 days, Qrator Labs reports that the mean attack is a little over 6 minutes, with shorter burst attacks often used to test an organization’s defenses.

How to Stop a DDoS Attack

If you suspect that your site is under attack, the first thing you should do is contact your hosting provider for help. They may be able to implement network-level protections or other measures to mitigate the attack and help restore your site to normal functioning.

In addition to notifying your ISP, you can take several other steps to stop an ongoing DDoS attack:

• Seek professional DDoS help: One of the best ways to stop a DDoS attack is to work with a professional service provider specializing in mitigating and stopping these attacks. These companies can help you quickly identify the source of an attack, implement protection measures, and restore your website to normal functioning as soon as possible. Depending on the severity of the attack, you may also need to involve law enforcement to investigate the attack and identify any potential culprits.
• Attack characterization: In addition to identifying the source of an attack, a DDoS mitigation service can help you understand how the attackers are targeting your site and how they’re compromising its resources. This information is crucial for developing effective defenses against future attacks and preventing your site from becoming a repeated target.
• Attack traceback: In some cases, it may be possible to identify the source of a DDoS attack even if you cannot stop it in real time. Attack traceback is the process of attempting to locate the origin of an attack by analyzing traffic patterns and identifying any unusual or suspicious behavior.
• Attack tolerance and mitigation: It is also possible your site may be targeted by a DDoS attack that’s too intense or complex to stop in real time. In this situation, you will need to develop strategies for how your team and the hosting provider can work together to minimize damages and keep the site online until the attack subsides. This may involve implementing traffic throttling or DNS redirection to keep your site up and running while mitigating the effects of the attack.

Also read: DDoS Myths: Blackholing and Outsourcing Won’t Stop Everything

How to Prevent DDoS Attacks

The best way to deal with DDoS attacks on your online properties is to ensure they never happen in the first place. Here are a few steps you can take to help protect your website from DDoS attacks.

Install Web Application Firewalls (WAFs) and Anti-Bot Filters

One of the best ways to protect your website from DDoS attacks is to install a web application firewall (WAF). A WAF is software code that sits between your website and the internet and filters incoming traffic for malicious activity. There are many different WAFs available, so be sure to do some research to find one that fits your needs.

In addition to a WAF, you should also consider installing an anti-bot filter. This will help block bots from accessing your website, which is often used in DDoS attacks.

Consider Using a Content Delivery Network (CDN)

Another key component for keeping your website safe from DDoS attacks is a content delivery network (CDN). A CDN works by distributing your website’s static assets — such as images, videos, and scripts — across servers worldwide. This makes it more difficult for attackers to target specific servers or overwhelm the bandwidth of a particular host.

In addition, using a CDN can also improve the performance of your website for visitors around the world by reducing latency.

Regularly Update Software, Plugins and Scripts on Your Site

One of the best ways to prevent DDoS attacks is to keep your website’s software and plugins up-to-date. By keeping all of your site’s software up to date with the latest security patches, you can help ensure that any potential vulnerabilities are addressed before they can be exploited by attackers.

Perform Regular Security Audits of Your Website

Another key step in protecting your website from DDoS attacks is to perform regular security audits. These audits will help you identify any potential weaknesses or vulnerabilities in your site’s infrastructure, such as unpatched software, weak passwords, misconfigurations, and open ports that could be used by attackers to launch an attack.

Purchase Extra DDoS Protection

If you’re worried about being hit by a DDoS attack, one option is to purchase extra protection from a provider like Cloudflare or Imperva. These services offer additional layers of protection against DDoS attacks, including filtering out malicious traffic and providing extra bandwidth capacity during an attack. While these services can be expensive, they provide peace of mind for businesses that are concerned about being targeted by DDoS attacks.

Create a DDoS Playbook

In addition to taking proactive measures to prevent DDoS attacks, it’s also important to have an incident response plan in place for how you’ll respond if an attack does occur. This plan is often referred to as a “DDoS playbook.” Your playbook should outline the steps you’ll take during and after an attack, including who will be responsible for each task. Having a plan in place ahead of time will help ensure that you’re prepared if an attack does occur.

Implement Regular Monitoring and Reporting

To help detect DDoS attacks as they’re happening, implement regular monitoring and reporting on your site’s traffic, performance, and security. You can use the specialized web analytics tools and services mentioned earlier. However, tracking traffic spikes and traffic behavior can also be done with simple free tools such as Google Analytics, or by tracking how your server’s CPU, memory, and bandwidth are being used from within your web hosting panel.

Further reading: How to Prevent DDoS Attacks: 5 Steps for DDoS Prevention

Bottom Line: Detecting DDoS Attacks

DDoS attacks remain one of the most damaging cyber attacks, and their prevalence and severity continue to grow. If you haven’t taken steps to protect your website or application from DDoS attacks, now is the time to start, and lining up a DDoS response service could be an effective first step.

DDoS prevention involves a combination of measures. When planned well, these help prevent the worst outcomes of a DDoS attack and keep your website running even as some elements are disrupted. For organizations that depend on their websites for survival, effective DDoS preparation shouldn’t be optional.

Read next:

• Complete Guide to the Types of DDoS Attacks
• Best Next-Generation Firewall (NGFW) Vendors
• Best Incident Response Tools and Software
• Network Protection: How to Secure a Network

The post How To Tell If You’ve Been DDoSed: 5 Signs of a DDoS Attack appeared first on eSecurityPlanet.

While an organization can use one or the other as an effective tool to improve security, the most mature organizations use vulnerability scans in combination with penetration tests to maximize their security benefits. The table below summarizes the main points of this article. Each issue will be explored in depth before we arrive at recommendations based on our analysis.

To ensure a common frame of reference, let’s start with a recap of the basic definition for both concepts critical to network security.

What is a Vulnerability Scan?

A vulnerability scan, or vulscan, performs a systematic check of IT systems to look for known security holes. There are two types of vulnerability scans.

IT infrastructure vulnerability scans will be performed by IT or cybersecurity teams to inspect internal IT systems using admin-level permissions for known vulnerabilities in:

• Internal networking equipment, such as switches and routers
• File servers
• Network access storage (NAS) devices
• Individual computers
• Peripheral devices like printers and scanners
• Internet of Things (IoT) devices connected to the network, such as security cameras, TVs, etc.
• Critical applications and internal processes, such as Active Directory (AD); Domain Name System (DNS); and accounting, banking, or operations management software

Application or website vulnerability scans will be performed by development operations (DevOps) or development security operations (DevSecOps) programmers to scan software libraries, application programming interfaces (APIs), and supply chain components for known vulnerabilities.

What is a Penetration Test?

Penetration tests, or PenTests, probe systems for weaknesses to determine if they can be exploited. The common black box penetration test scans the external IT infrastructure of the organization such as firewalls, web servers, web applications, gateways, and VPN servers. These tests are performed without any advanced knowledge of its systems, but different penetration tests use credentials, test physical security, involve social engineering, phishing attacks, dropped USB drive attacks, test system volume capacity limits, and more.

Bounties can be considered a form of penetration testing that incentivises non-contracted ethical hackers with payment after finding a flaw instead of through a contract agreed upon in advance. However, bounties can be unpredictable and, while very useful, bounties should not be relied upon to replace formal penetration tests.

When to Use Vulnerability Scans and Pentests

The simplified justification to pick between vulscans and pentests can be expressed as:

• Vulnerability Scans: To scan infrastructure and discover known vulnerabilities
• Penetration Tests: To explore discovered vulnerabilities to verify if they can be exploited and what damage could result from the exploitation or to discover non-vulnerability exposures in key systems

To elaborate, vulnerability scans use commercial or open source tools that can be used by less experienced IT or security personnel to perform periodic, automated or on-demand testing. These tests can be performed quickly and inexpensively to detect known vulnerabilities.

However, vulnerability scanning tools cannot determine how easily the detected vulnerability can be exploited or how much damage can result from the exploitation of the vulnerability. Human expertise, often in the form of penetration testing, needs to be performed to verify the exploitability of the detected vulnerability and the extent of the potential damage.

Penetration testing can also discover additional flaws that might expose the organization to risk that cannot be detected by vulnerability scans. For example, pentests can discover weak passwords, gaps in security, or other security weaknesses that come from inadequate security architecture.

How to Use Vulnerability Scans and Pentests

Vulnerability scans are primarily tool-based, so a security team will often acquire and configure the tool for internal use. For organizations with more limited resources, vulnerability scanning can be included in the offerings of managed IT service providers (MSPs) and managed IT security service providers (MSSPs) or even through a vulnerability management as a service (VMaaS).

Penetration tests can be performed by internal teams who pick up breach and attack simulation (BAS) tools. However, internal teams can lack the expertise to thoroughly test systems and will be tempted by conflicts of interest to hide potential flaws in IT setup from management. Instead, organizations will typically engage third-party penetration testing vendors or MSSPs with pentesting expertise for the relevant assets to be tested (applications, websites, firewalls, containers, etc.).

Pentest vendors can retain experienced ethical hackers that the average organization cannot afford. These hackers use their experience to rapidly assess systems, target the most likely vulnerabilities to be exploited, and use hacking tools when needed.

Popularity of Vulnerability Scans and Pentests

The relative popularity of vulnerability scans and penetration tests is quite interesting because the popularity among professionals is inverse to the actual usage and demand. Among IT and security professionals, vulnerability scans tend to be less popular than penetration tests because they are not as technologically interesting as hacking — it seems more like homework. However, vulnerability scans tend to be less invasive, less expensive, and easier to execute which makes them much more frequently used among organizations.

The popularity for penetration testing, also known as red team exercises, can be measured by the higher demand and number of classes and certifications devoted to red team techniques when compared to defensive blue team techniques. This popularity also is skewed by the reality that a penetration tester only needs to find one way in to be successful and a blue team defender needs to be skilled against every possible red team tactic. IT teams just don’t feel like they can win on defense, so hacking just seems like more fun.

However, penetration tests cost much more money and can be hard to scope and understand for an organization. These factors lead some organizations to focus on vulnerability scans for everyday needs and to avoid penetration testing unless required by a compliance standard.

Frequency of Vulnerability Scans and Pentests

Most organizations perform vulnerability scans at least quarterly, with additional scans performed after significant changes to IT infrastructure or application updates. More aggressive organizations can scan monthly, weekly, or even continuously. After mitigation of discovered vulnerabilities, a rescan or penetration test will be required to validate the fix.

Compliance standards often define the frequency of vulscans and pentests. The PCI Data Security Standard (PCI DSS) requires vulnerability testing to be conducted at least quarterly and after every significant change to IT infrastructure, security tools,  or applications. Recent research by Veracode finds that more frequent vulnerability scanning has reduced the typical number of vulnerabilities by two-thirds and decreased the time to fix vulnerabilities by more than 30%.

Many organizations never perform a penetration test, and of those that do, many only perform annual external penetration tests. More sophisticated organizations perform tests more frequently, such as 2-4 tests per year and also add pentests after significant infrastructure changes (especially for internet-accessible systems or after fixing previously discovered issues).

Are Vulnerability Scans or Pentests Internal or External?

Vulnerability scanning tools can be applied to external systems or even to systems that an organization does not control. However, vulnerability tools do not attempt to be stealthy and tend to be used primarily on internal systems.

Penetration tests tend to be performed on externally accessible assets from the point of view of a cyberattacker. However, penetration tests can also be performed internally without credentials to simulate attackers obtaining compromised low-access credentials (gray-box pentest) or with full credentials for more thorough testing (white-box pentest).

Also read: 7 Types of Penetration Testing: Guide to Pentest Methods & Types

Time Needed to Conduct Vulnerability Scans and Pentests

Vulnerability scans usually take a few hours, but the total time will vary greatly on the number of systems scanned and the type of systems scanned. Large systems can take days to complete a scan and vulscans can take only a few minutes for simple scans of a small office.

As with vulscans, penetration test durations will be highly variable and dependent on the number of systems tested and the type of pentests required. A typical test usually takes weeks to complete, but could take several months for comprehensive testing, especially for multi-national, multi-office organizations seeking social engineering, physical security tests, and other time-consuming pentests.

Do Vulnerability Scans and Pentests Generate False Positives?

Vulnerability scanning often will detect vulnerabilities that will be determined to be false positives. The scans may also locate true positives with negligible associated risk. Regardless, each vulnerability finding must be verified and either mitigated or flagged to be ignored.

Low-end pentests that only use off-the-shelf software will produce the same false positives that plague vulscans. Effective penetration tests usually generate zero false positives since the penetration testing results verifies exploitation risk by proving the hacker can access protected data or create operational disruption.

Naturally, after considering false positives, one must consider if false negatives are possible. Both forms of testing will only report on vulnerabilities found, but will not report that other assets pass without vulnerabilities. In the strict sense of the definition, no false negatives are generally produced, because neither testing procedure creates “all-clear” reports on systems on which no flaws were detected.

However, both forms of testing can overlook vulnerabilities. Vulnerability scans will always miss vulnerabilities not yet entered into their databases or on assets that are not scanned. Assets can be missed either because the tool is not capable of scanning an asset class (such as Kubernetes containers) or because the asset list simply was not updated prior to the scan.

Penetration tests tend to be narrow in scope and generally cannot test all systems or for all possible vulnerabilities. Even the most experienced pentester cannot know all possible vulnerabilities, and most organizations do not have the budget or time to test all possible systems. Pentesters make choices to focus on the most likely vulnerable systems and the most likely vulnerabilities.

Comprehensiveness of Vulnerability Scans and Pentests

Vulnerability scans target all applicable infrastructure and tend to only be limited by the scanning tool’s capabilities. Most can scan for tens of thousands of vulnerabilities, but a security team must also recognize that vulnerability tools can only scan for vulnerabilities that are known and already programmed into the scanner and on a device detected for scanning.

This limitation is neither unusual nor problematic as long as the security team recognizes that even scanned systems cannot be assumed to be vulnerability-free. The IT and security teams must also be sure to update the tool to scan all of the available assets so that no scannable asset is simply overlooked.

Many vulnerability scanners are also specialized by asset class. For example, some can only scan applications or websites and others can only scan Windows and macOS operating systems. Less common asset classes such as networking equipment, peripheral devices (printers, external hard drives, etc.), internet of things (IoT), industrial control systems (ICS), and industrial or operating technology (OT) often require specialized vulnerability scanning tools or manual investigation.

Penetration testing tends to be limited in scope due to budgets, time constraints, and tester capabilities. Pentests not only test known vulnerabilities, but can also discover unknown vulnerabilities, security gaps, and security weaknesses that technically are not vulnerabilities (just poor security architecture). However, while they may probe deeper than vulscans, pentests tend not to be as comprehensive and will be focused around the pentester’s expertise or the systems the organization can afford to test.

Minimum Requirement Vulnerability Scans and Pentests

The minimum level of vulnerability scanning is equivalent to patch management and examines traditional IT systems (servers, workstations, and laptops) for unpatched systems. For penetration tests, the minimum level tends to be external pentests on internet-accessible systems.

However, in both minimal cases, organizations must recognize that these minimum-requirement tests will likely leave the organization exposed to risk. Most organizations pursue minimum testing to minimize expenses, but even these minimums depend upon the specific compliance regulations.

However, this will likely be an evolving condition over the next few years. New York State already requires both penetration testing and vulnerability assessments for its financial institutions, and both PCI DSS and the National Institute of Standards and Technology (NIST) cybersecurity framework (800-115) have vulnerability scans as basic requirements.

Some vendors and consultants offer low-cost automated pentesting; however, these tests often prove ineffectual and produce similar results to vulnerability scans. These minimal approaches can catch easy-to-find and well-known vulnerabilities, but will not typically be rigorous enough to satisfy most compliance requirements.

Also read: What Is a Pentest Framework? Top 7 Frameworks Explained

Operations Disruptions from Vulnerability Scans and Pentests

Vulnerability scans probe each device port by port to test for known vulnerabilities, which can cause possible network bandwidth issues and even system instability. More sophisticated tests probe network equipment and check for misconfigurations, which will place even more demands on systems.

Most organizations schedule vulnerability scans for off-hours to minimize operations disruptions and may even exclude certain systems known to be sensitive to scanning. An organization with automated vulnerability scanning capabilities can also perform scans every time a new device is connected to the network; that also allows future vulnerability scans to be incremental and focus on specific vulnerabilities or devices that have not been scanned within the last month or quarter.

Penetration testing can also cause operations disruptions with certain types of tests. However, penetration testers will typically recognize how much disruption might be caused and can prepare the organization in advance for recovery. For disastrously disruptive tests that might cause data loss or full operations failure, an organization might create a test environment for hackers to probe so that a successful hack does not affect operations.

Penetration testing will often be thought of as an exercise to break into the systems to steal data. While valid, this definition ignores other forms of penetration testing such as volume capacity tests for infrastructure, such as when testing for distributed denial of service (DDoS) resilience.

How to Handle Overload From Vulnerability Scans and Pentests

Many organizations that need to perform vulnerability scans or penetration tests can become overwhelmed by the results because of resource constraints (budget, staffing, etc.).

With vulnerability scanning, overwhelm can often be controlled by ignoring known vulnerabilities or through filtering vulnerabilities using CVSS or risk-based ranking. Likewise, penetration testing overwhelm may be controlled by rolling or partial pentesting.

For example, vulscans of healthcare facilities notoriously find many issues, since many medical imaging devices run on operating systems that no longer receive updates (see Three Ways to Protect Unfixable Security Risks). Instead of producing the same list of vulnerabilities with each scan, the organization can exclude the devices with known vulnerabilities from regular scans to focus on fresh issues.

Scans also often overwhelm an organization with vulnerabilities with low Common Vulnerability Scoring System (CVSS) ratings that either cannot cause significant damage or are difficult to exploit. To avoid overload, an organization might choose to ignore scans below a selected ranking or to filter vulnerabilities in vulnerability management software to focus on high-priority vulnerabilities.

Risk-based filtering is similar to CVSS filtering, but instead of focusing on the vulnerability, the organization focuses on the importance of the asset and the likelihood of exploitation. For example, an organization might ignore a high-ranking data exfiltration vulnerability in a server that contains publicly available marketing materials in favor of focusing on a lower-ranking privilege escalation vulnerability in the credit card payment database due to the potential damage to the organization.

Penetration testing limitations will often focus on specific types of tests or specific systems in a given time period and leave other testing for later.

While organizations can use all of these techniques to limit scope and scale, they also need to recognize that such limitations might leave the organization exposed to potential attack via ignored systems or vulnerabilities.

Of course, service providers can provide another option for organizations that can obtain additional resources through outsourcing. A wide variety of MSPs, MSSPs, or even Vulnerability Management as a Service (VMaaS) providers can enable organizations to deal with overwhelm without remaining exposed to higher risk of attack.

Costs of Vulnerability Scans and Penetration Tests

Vulnerability scans tend to be moderate to low-cost options, with the expenditure primarily based on the cost of tools. However, organizations should also account for the time for IT or security teams to install, configure, maintain and use the tool as well as to analyze the results.

Penetration tests tend to be higher in cost because they typically require outside vendors with highly trained penetration testing professionals. Fortunately, pentest costs can be controlled by organizations through preparation and scope control.

Benefits of Vulnerability Scans and Penetration Tests

Vulnerability scans and penetration tests both provide high value to any organization.

Vulscans identify vulnerabilities to be validated, categorized, prioritized, and mitigated. Automated tools can allow for quick and continuous identification of systems and services at risk to help organizations reduce opportunities for attacker exploitation.

Penetration testing verifies if vulnerabilities can be exploited and checks for other security gaps that might risk data exploitation or system damage. Effective pentests help organizations further harden systems and minimize opportunities for malicious attackers to cause damage.

Bottom Line: For Best Results, Use Both Vulscans and Pentests

When an IT team struggles to keep up with its workload, vulnerability scans and penetration tests seem like more trouble than they’re worth, especially if there’s robust perimeter security in place. However, with a single bad click, an attacker could be inside the organization and exploiting any available weaknesses.

By using both vulscans and pentesting, an organization can catch more oversights, mistakes, and security gaps. Organizations that really want to avoid the headaches, risks, and consequences of a breach will run both penetration testing and vulnerability scanning on a regular basis. Given the high cost of a data breach, prevention is money well spent.

Further reading:

• The 8 Best Vulnerability Scanner Tools for 2023
• Top Open Source Penetration Testing Tools
• Best Patch Management Software & Tools
• Top Vulnerability Management Tools

The post Penetration Testing vs Vulnerability Scanning: What’s the Difference? appeared first on eSecurityPlanet.

While it’s certainly possible to construct your own pentest framework that meets the specific security and compliance requirements of your organization, a number of existing methodologies and frameworks can be built upon to make the job easier for you. In fact, it’s generally more effective to use one of these comprehensive and peer-reviewed solutions in order to keep your pentests on track.

Read on to learn more about how pentest frameworks are used, how they’re set up, and some of the top pentest frameworks that are available today.

Jump ahead to:

• How Pentest Frameworks Work
• 10 Categories in a Pentest Framework
• How Penetration Test Frameworks Are Used
• 7 Top Pentest Frameworks
• Bottom Line: Pentest Frameworks

Also read: What Is Penetration Testing? Complete Guide & Steps

How Pentest Frameworks Work

In simple terms, a pentest framework works by guiding pentesters to the right tools and methodologies to use for a penetration test, depending on the pentest type and the scope of the test they’re planning to run. Once a pentester gets started with the penetration testing and ethical hacking process, they should reference the pentest framework for the tactical categories they should assess during their tests.

Once the pentest is complete, the pentester should continue using the framework to help them further evaluate and report on their findings, especially as they relate to those primary tactical categories. It’s also important to return the environment to its pre-pentest settings.

The Steps of a Typical Pentest Framework

Pentest frameworks work in slightly different ways, depending on which pentest framework you use, but most follow similar steps that help organizations efficiently and comprehensively move through their pentesting programs.

These are some of the most common steps a pentest framework follows:

1. Initial planning and preparation: The framework instructs organizations to determine who their pentester(s) will be, what pentest framework and methodology/methodologies they’ll be following, expectations for the test and reported results, any legal or compliance requirements, and any tools or resources that are needed in order to conduct a successful test.
2. Intelligence and information gathering: Information that should be gathered early in the pentest framework development and selection process includes the scope of asset ownership, network targets, exploits, any involved third parties, network ports, IP addresses, relevant employees’ names, and property locations. In some cases, this phase is also called the discovery, testing, scanning, or assessment phase.
3. Attack phase: The pentester begins their attack and evaluates the system based on how it performs against the framework’s predefined tactic categories.
4. Post-attack phase: The pentester, or a team of cybersecurity experts, makes sure the testing environment’s assets and features are returned to their original state.
5. Reporting results: The pentest framework is used to frame results based on tools used, tactic category performance, and more.

Also read: How to Implement a Penetration Testing Program in 10 Steps

10 Categories in a Pentest Framework

The typical pentest framework clearly outlines tactic categories that pentesters should use to evaluate cybersecurity performance on multiple fronts during their penetration testing efforts. Every framework uses its own terminology and approach to tactic categories, but these are some of the most frequently found categories in a pentest framework:

1. Collection: As an ethical hacker, what kinds of information and security intelligence are you able to collect during your attack? How valuable would this information be to future attack vectors and plans?
2. Command and control: What kinds of backdoors and covert forms of communication are you able to set up in the enterprise network’s servers or apps during your simulated attack? Are these backdoors easily detected? Do they stay open even after cybersecurity tools step in to mitigate risk?
3. Credential/information access: What tools, users, and hardware can access what kinds of information? What credentials and controls are in place and how effective are they at stopping unauthorized user access during your simulated attack?
4. Defense evasion capabilities and strategies: How does your cybersecurity infrastructure handle threat detection and how does it respond to an attacker’s defense evasion strategies? How effectively does your infrastructure identify and avoid various types of threats, and how quickly does it pivot when initial lines of defense aren’t enough?
5. Discovery and information gathering: How quickly and comprehensively does your cybersecurity setup gather and sift through relevant security incident information after the simulated attack begins?
6. Execution: How do your cybersecurity tools respond when handling an unauthorized user or other suspicious activity in the network? What tools go into action, what are their response timelines, and what gets mitigated by tools versus security professionals? Additionally, how does your cybersecurity infrastructure respond to attack types like remote code execution?
7. Exfiltration: Can data be stolen from any part of your network? If so, what data is accessible, in what quantities can it be taken, and how much defense (if any) goes up against data exfiltration operations?
8. Lateral movement: During the simulated attack, are you able to easily move from your initial point of access into another app, database, or component of the network? How difficult is lateral movement between grouped apps versus parts of the network that are in separate segments or departments?
9. Persistence: What misconfigurations, backdoors, implants, or other components of your attack persist even after cybersecurity tools respond to your attack? Over what time frame can these features continue to deploy discreet attacks?
10. Privilege escalation: Can attackers change their own credentials or steal the credentials of another user in order to elevate their access levels and user permissions in the network or specific applications? How difficult is privilege escalation for an internal bad actor versus an external bad actor?

How Penetration Test Frameworks Are Used

Generally speaking, penetration test frameworks are used to make pentesting efforts more comprehensive and effective. However, pentests are used for a variety of reasons, and pentest frameworks have a few different use cases as well. Here are some of the most common ways penetration test frameworks are used:

• Vulnerability assessment and management
• Ethical hacking for offensive cybersecurity improvements
• Defensive cybersecurity evaluations
• Discovery, probing, and reconnaissance
• Enumeration and information gathering
• Cybersecurity and compliance audits

7 Top Pentest Frameworks Explained

Below, you will find some of the most commonly used pentest frameworks and methodologies, both in a chart and a more detailed discussion. It’s important to note that many of the frameworks you see listed here — such as the Open Source Security Testing Methodology Manual (OSSTMM) — started out as simple pentesting frameworks but have since evolved into methodologies upon which other pentesting frameworks have been developed.

Cobalt Strike

Cobalt Strike is a red team command and operations framework that is one of the most popular frameworks for pentesting. The tool includes adversary simulations, incident response guidance, social engineering capabilities, and more. Users have the option to alter Cobalt Strike to their specific needs with the Community Kit repository, and they can further extend its capabilities by using it in combination with Core Impact, the pentesting software offered by Fortra.

Also read: How Cobalt Strike Became a Favorite Tool of Hackers

Metasploit

Metasploit is a collaboratively-designed penetration testing framework that comes from Rapid7 and the open-source community. Some of its most important features include 1,500 exploits, network discovery, MetaModules for tasks like network segmentation testing, automated tests, baseline audits and reports, and manual exploitation and credential brute forcing options. Users can choose between the free, open-source version of Metasploit or Metasploit Pro for additional features.

Also read: Getting Started With the Metasploit Framework: A Pentesting Tutorial

NIST Cybersecurity Framework

NIST’s Cybersecurity Framework (CSF) is a slightly broader framework option that focuses on standards, best practices, and guidelines for all kinds of cybersecurity risks. The five functions that this framework focuses on are: Identify, Protect, Detect, Respond, and Recover. Because this is a broader framework and comes from the U.S. Department of Commerce, this standardized framework can be used as guidelines for a variety of cybersecurity tests and compliance audits.

Open Source Security Testing Methodology Manual (OSSTMM)

The OSSTMM framework from the Institute for Security and Open Methodologies (ISECOME) has moved past basic framework features into a full methodology for security testing and analysis. Among other topics covered in its detailed guide, the Open Source Security Testing Methodology Manual gives users information about how to define and scope a security test, rules of engagement, error handling, and disclosure of results.

Penetration Testing Execution Standard (PTES)

The Penetration Testing Execution Standard, or PTES, is another pentesting framework that has evolved into a full methodology. Its main sections cover penetration test communication and rationale, intelligence gathering, threat modeling, vulnerability research, exploitation and post-exploitation, and reporting. The guidelines in the official PTES do not discuss how to conduct a pentest; the team has developed a technical guidelines document to instruct and support in this area. A second, updated version of PTES is currently in the works.

Open Web Application Security Project (OWASP)

OWASP’s Continuous Penetration Testing Framework is an in-the-works framework that focuses on standards, guidelines, and tools for information security and application security penetration tests. OWASP offers a transparent roadmap to users who are interested in learning more about the release timeline and features of this framework.

PenTesters Framework (PTF)

TrustedSec’s PenTesters Framework (PTF) is based heavily on the Penetration Testing Execution Standard. It is designed to make installation and packaging more streamlined and is considered highly customizable and configurable. Users can either download PTF with a Linux command or directly through Git.

Also read:

• Best Open-Source Distributions for Pentesting and Forensics
• Top Open Source Penetration Testing Tools

Bottom Line: Pentest Frameworks

Your penetration testing efforts won’t be as successful if you don’t rely on a pentest framework to structure your processes, the tools you use, and the tactical areas you target. It’s important for pentesting procedures to be both repeatable and scalable, especially as your organization and its attack surface grow. Pentest frameworks take the guesswork out of pentesting, allowing you to focus on improving other areas of vulnerability management while still conducting successful tests and research.

Further reading:

• How Much Does Penetration Testing Cost? 11 Pricing Factors
• Best Penetration Testing Tools
• Best Vulnerability Scanning Tools
• Top Breach and Attack Simulation (BAS) Tools

The post What Is a Pentest Framework? Top 7 Frameworks Explained appeared first on eSecurityPlanet.

VLANs enable logical partitioning inside a single switch, resulting in multiple virtual local area networks where physical switch segmentation is not a possibility. These partitions enable the division of a large network into smaller, more manageable broadcast domains, thereby improving network security, efficiency, and flexibility. In this comprehensive guide, we will look at how VLANs function, when to use them, the benefits and drawbacks they provide, and the types of VLANs.

• How Do VLANs Work?
• When to Use a VLAN
• Advantages of VLANs
• Disadvantages of VLANs
• Common Types of VLANs
• Bottom Line: VLANs

How Do VLANs Work? 

VLANs are assigned unique numbers, which enable network administrators to arrange and separate network traffic. A VLAN number is a label or tag that is applied to certain packets in order to determine their VLAN classification. The valid VLAN number range is typically 1 to 4094, providing adequate flexibility to build many VLANs within a network configuration.

VLAN numbers are assigned to switch ports to associate VLAN membership with network devices. The switch then permits data to be transmitted across ports that are part of the same VLAN. Network administrators can regulate the flow of traffic within the network by establishing VLAN membership for particular ports. By giving the right VLAN number to each port on a VLAN switch, ports may be identified as belonging to a certain VLAN. VLAN tagging, which adds a tiny header to Ethernet frames, is used by switches to identify the VLAN to which the frame belongs. This tagging guarantees that traffic is channeled correctly inside the VLAN and does not leak to other VLANs.

Since practically all networks include more than one switch, VLANs provide a means to transport traffic between them. After assigning VLAN numbers to switch ports, the switch ensures that data destined for devices in the same VLAN is transferred correctly. When two or more ports on the same switch are assigned the same VLAN number, the switch permits communication between those ports while isolating traffic from other ports. This segmentation improves network security, performance, and administration capabilities.

Because most networks are bigger than a single switch, it is necessary to facilitate communication across VLANs on various switches. A simple way to accomplish this is to configure particular ports on each switch to be part of a common VLAN and to make physical connections (usually through cables) between these designated ports. Switches enable inter-VLAN traffic to flow by connecting these ports, allowing communication between devices in different VLANs.

Also read: How to Implement Microsegmentation

When to Use a VLAN

VLANs provide several advantages in network management, performance enhancement, and security. They offer the flexibility and control required in enterprise network settings, whether it is the logical separation of devices based on function, the creation of isolated guest networks, the prioritization of critical traffic, or the optimization of large-scale networks. VLANs are particularly useful in situations such as:

• High-traffic environments and networks with over 200 devices: VLANs provide efficient traffic flow and easier administration by effectively controlling and arranging a large number of devices.
• Optimizing network performance in high-traffic LANs: Congestion may be decreased by splitting traffic into distinct VLANs, resulting in smoother data transfer and lower latency. This improvement enables more effective network resource utilization and increases overall network efficiency.
• Creating multiple switches from a single switch: Network managers can create independent broadcast domains by segmenting ports into various VLANs, thus splitting a single switch into many logical switches. This separation increases network performance, security, and administration.
• Adding security measures and controlling excessive broadcast traffic: Separating groups into separate VLANs increases security while reducing performance difficulties caused by excessive broadcast traffic.
• Prioritizing voice and video traffic: For real-time communication applications, this segmentation assures quality of service (QoS). VLANs reduce latency and packet loss by prioritizing this sort of traffic, improving the overall user experience and ensuring seamless communication.
• Creating isolated guest networks: VLANs prevent unauthorized access and associated security issues by isolating guest devices from the internal network. This isolation guarantees that visitors have access to the resources they require while safeguarding the internal network’s integrity and security.
• Separating logical devices: VLANs allow devices to be logically separated based on their purpose, department, or security needs. Network administrators can enhance network performance and security by grouping devices with similar tasks or security requirements into VLANs. This segmentation decreases broadcast traffic, safeguards against potential security breaches, and enables focused administration and control.
• When simplifying network management: VLANs are critical in constructing virtual networks that transcend physical servers in virtualized and cloud computing environments. This adaptability simplifies network administration, increases scalability, and allows for more effective resource consumption. VLANs in these contexts provide smooth connectivity between virtual computers and assist enterprises in managing their infrastructure more efficiently.

See how one managed service provider used VLANs to protect backups from ransomware: Building a Ransomware Resilient Architecture

8 Advantages of VLANs

VLANs enable enterprises to improve network efficiency, scalability, and security while also simplifying network administration, increasing security, and boosting overall performance. Here are some of the advantages of using VLANs.

1. Logically segment networks: VLANs allow for the logical segmentation of networks and the administration of geographically scattered sites. Administrators may efficiently manage network resources, apply specific security measures, and guarantee seamless communication across locations by building distinct VLANs for various sites or departments.
2. Improve network security: By logically grouping devices and separating network traffic, VLANs create an extra layer of network security. Network administrators may manage access and ensure that sensitive information remains segregated by defining different VLANs depending on departments, project teams, or roles. VLANs keep unauthorized users out of restricted regions and provide a strong security foundation for safeguarding valuable data, similar to zero trust concepts.
3. Increase operational efficiency: VLANs provide operational benefits by allowing administrators to modify users’ IP subnets using software rather than physically changing network equipment. This flexibility simplifies network maintenance, minimizes downtime, and improves the network infrastructure’s overall agility.
4. Enhance performance and decrease latency: VLANs improve network performance by lowering latency and increasing total data transmission rates. VLANs prioritize traffic flow inside each VLAN by segmenting networks depending on functional needs, guaranteeing effective network resource usage, quicker data transfer and a better user experience.
5. Reduce costs and hardware requirements: By maximizing the existing network infrastructure, VLANs remove the need for extra physical hardware and wiring. This reduction in hardware needs saves money while also simplifying network management and maintenance.
6. Simplify device management: VLANs make device administration easier and more efficient by letting administrators organize devices based on their function or purpose rather than their physical location. This logical grouping simplifies device configuration, monitoring, and troubleshooting.
7. Solve broadcast problems and reduce broadcast domains: When a network is partitioned into many VLANs, broadcast traffic is confined within each VLAN, preventing it from congesting the whole network. This separation decreases broadcast storms while also increasing network efficiency and overall performance.
8. Streamline network topology: Typical network structures may need complex setups that include several switches, routers, and connections. By implementing VLANs, network topology can be simplified, resulting in a reduced number of devices. VLANs organize network devices conceptually, decreasing the complexity of physical connections and increasing network scalability.

Also read: Network Protection: How to Secure a Network

7 Disadvantages of VLANs

While VLANs provide substantial benefits in network management and security, it is critical to understand their potential downsides. Understanding these drawbacks allows network managers to handle them proactively and guarantee a successful VLAN implementation that meets their unique organizational needs.

1. Additional network complexity. The additional network complexity caused by VLANs is one of the key problems of adopting them. VLAN management in bigger networks may be a difficult operation that involves precise design, configuration, and constant monitoring. Misconfigurations can lead to network instability or even outages if correct knowledge and documentation are not used.
2. Cybersecurity risks. If an injected packet succeeds in breaching a VLAN’s borders, it could jeopardize the network’s integrity and security. Furthermore, a threat emanating from a single machine within a VLAN has the ability to propagate viruses or malware throughout the whole logical network, demanding strong security measures. Further segmentation and zero trust controls could limit any damage.
3. Interoperability concerns. Different network devices, particularly those from different suppliers, may have inconsistent compatibility with VLAN technologies, making smooth integration and consistent functioning problematic. Before establishing VLANs in such situations, it is critical to guarantee compatibility and undertake extensive testing.
4. Limited VLAN traffic relay. Each VLAN runs as its own logical network, and VLANs cannot forward network traffic to other VLANs by default. While this isolation provides security benefits, it might cause problems when communicating between VLANs. To enable traffic routing between VLANs, further setup and the usage of Layer 3 devices are necessary, adding complexity to network architecture and operation.
5. Possible risk of broadcast storms. Improper VLAN configuration can lead to broadcast storms, which happen when too much broadcast traffic overwhelms the network infrastructure. To avoid these disruptive incidents, VLAN design and setup must be carefully considered.
6. Reliance on Layer 3 devices. When Layer 3 devices have problems or become overloaded, it can have a major impact on VLAN connectivity. Layer 3 equipment, such as routers or Layer 3 switches, are widely used in inter-VLAN connections. These devices are in charge of routing traffic between VLANs, and their availability and correct setup are critical for VLAN operation.
7. Unintentional packet leakage. Packets can mistakenly leak from one VLAN to another in rare instances. This leakage might arise as a result of incorrect setups, poor access control, or insufficient network segmentation. Packet leakage jeopardizes VLAN security and isolation, exposing critical data to unauthorized users.

See the Top Microsegmentation Software

3 Common Types of VLANs

There are several types of VLANs commonly used in networking.

• Port-based VLAN: In this type of virtual LAN, a switch port can be manually assigned to a VLAN member. Specific VLANs are assigned to switch ports, and devices connecting to those ports become part of the corresponding VLAN. Because all other ports are configured with an identical VLAN number, devices connecting to this port will belong to the same broadcast domain. The difficulty with this form of network is determining which ports are acceptable for each VLAN. The VLAN membership cannot be determined simply by inspecting a switch’s physical port but by looking at the setup information.
  • Data VLAN: This type is often known as a user VLAN, and is dedicated solely to user-generated data. Data VLANs are designed to isolate and organize network traffic based on device function, department, or security requirements. The organizational structure of data virtual LANs is used to classify them. It is strongly encouraged to properly evaluate how users could be appropriately classified while taking into account all configuration choices. These clusters might be departmental or work-related. Administrators can boost network efficiency and security by grouping devices with similar tasks or security needs into Data VLANs to reduce broadcast traffic, isolate security vulnerabilities, and facilitate network monitoring and control.
  • Default VLAN: Typically, default VLANs are allocated to switch ports that have not been expressly defined for any specific VLAN. They serve as a backup alternative for devices that lack VLAN designations. Administrators can guarantee that devices without explicit VLAN assignments remain operational and can interact inside the network by selecting a default VLAN.
  • Native VLAN: An access port, also known as an untagged port, is a switch port that carries traffic for a single VLAN, whereas a trunk port, also known as a tagged port, carries data for several Virtual LANs. Native VLANs are linked to trunk lines, which connect switches. These VLANs are untagged on the trunk link, which means that frames sent across the link do not contain VLAN tags. When traffic arrives on a port without a VLAN tag, it is assigned to the Native VLAN; however, it is critical to set the Native VLAN consistently on both ends of the trunk connection to avoid connectivity difficulties and potential security risks.
  • Management VLAN: Management VLANs are VLANs that are dedicated to network administration and management responsibilities. This particular type is recommended for the most sensitive management activities, such as monitoring, system logging, SNMP, and so on. This not only provides security benefits, but also provides capacity for these management duties even in high-traffic scenarios. Administrators may assure safe access to network devices, ease network monitoring and troubleshooting, and protect key network infrastructure from illegal access or interference by isolating management traffic onto a distinct VLAN.
  • Voice VLAN: Voice VLANs are designed to prioritize and handle voice traffic in a network context, such as Voice over IP (VoIP) calls. Network administrators can assure Quality of Service (QoS) for real-time communication by allocating voice devices to a distinct VLAN, minimizing latency or packet loss issues that may affect the user experience during voice calls.

• Protocol-based VLAN: Protocol-based VLANs classify VLAN membership according to the traffic protocol in use. In a Protocol-based VLAN, the frame contains the layer-3 protocol information that specifies VLAN membership. While this method is effective in multi-protocol environments, it may not be feasible in IP-only networks. Other protocols’ traffic, such as IP, IPX, or AppleTalk, can be routed to their respective VLANs. This form of VLAN filters traffic based on protocol and offers untagged packet criteria.

• MAC-based VLAN: This type of VLAN is ideal when network administrators require granular control over device placement. A MAC-based VLAN uses the MAC address of a device to identify it as a member of that VLAN. Each VLAN on the switch has its own MAC address. This type of VLAN is typically used when device segmentation by MAC address is necessary.  Untagged inbound packets are allocated virtual LANs through the use of MAC-based VLANs, allowing traffic to be categorized depending on the source address.

See the Best Next-Generation Firewalls (NGFWs)

Bottom Line: VLANs

VLANs are a powerful network strategy that enables efficient traffic control, better security, and optimal network performance. These are critical functions in modern network environments, allowing network traffic to be segregated and controlled. By assigning VLAN numbers to switch ports, network administrators may create logical network segments and regulate data flow inside and between VLANs.

VLANs provide the flexibility and control required in contemporary network settings, whether it is the logical separation of devices based on function, the creation of isolated guest networks, the prioritization of critical traffic, or the optimization of large-scale networks. Understanding the functions and advantages of VLAN types helps administrators to create efficient network configurations tailored to their organization’s needs.

Read next:

• Best Network Monitoring Tools
• Top Network Detection & Response (NDR) Solutions

The post What is a VLAN? Ultimate Guide to How VLANs Work appeared first on eSecurityPlanet.

External and internal vulnerability scans are like your organization’s superpower duo when it comes to protecting against system weaknesses. We’ll cover their uses and benefits in detail, but here’s a high-level overview to start:

See the Best Vulnerability Scanner Tools

What Are External Vulnerability Scans?

An external vulnerability scan involves simulating attacks on your external-facing systems to identify potential weaknesses that malicious hackers could exploit, similar to an automated penetration test. By proactively uncovering vulnerabilities, you can strengthen your defenses and protect your systems and data. It’s like having a vigilant security guard checking your digital perimeter, ensuring that your organization is well-protected against external threats.

4 Benefits of External Vulnerability Scans

External vulnerability scans play a key role in protecting your network from intruders.

• Verify external security posture
• Identify weakness that can potentially lead to a breach of security
• Identify significant threats and risks in the enterprise network
• Pinpoint new devices or services that may pose potential threats or weaknesses to the enterprise

Common External Vulnerability Risks Found

External scans can uncover a range of cyber risks for security teams to address. These include:

• Malware
• Malvertising
• Phishing
• DDoS
• Ransomware
• Session hijacking
• Drive-by attack

When Should You Do an External Vulnerability Scan?

External vulnerability scans are conducted based on the size of your organization, with different frequencies for small and large enterprises. While larger organizations typically require multiple scans throughout the year to ensure optimal network security and the highest level of protection, small businesses or organizations may find it sufficient to conduct these scans once a year.

However, it is important to note that the frequency of vulnerability scans should always be adjusted based on the evolving threat landscape and the specific security needs of each organization, regardless of its size. By regularly assessing vulnerabilities through these scans, organizations of all sizes can proactively identify and address potential security weaknesses, fortifying their networks against potential breaches.

Also read: Penetration Testing vs. Vulnerability Testing: An Important Difference

What Are Internal Vulnerability Scans?

Internal vulnerability scan focuses on identifying weaknesses that could have evaded your exterior defenses. It’s like having someone who is familiar with every obscure crevice of your business looking for any openings that may be used by nefarious insiders or skilled attackers who have already gotten past your outward defenses and are trying to move laterally through your network.

You may find and fix these weaknesses inside by doing internal vulnerability scans, which will guarantee that your company’s crucial assets and confidential information are well-protected. This gives you peace of mind and enables you to keep one step ahead of potential assaults by acting as an additional layer of security against dangers that may be hiding inside your digital fortress.

5 Benefits of Internal Vulnerability Scans

Internal scans are an important line of defense that can prevent malicious actors from reaching critical applications and data. Benefits of internal vulnerability scans include:

• Simulates behaviors and actions of an internal hacker to identify vulnerabilities
• Validates insider access
• Identify and prioritize vulnerabilities for remediation
• Provide insights to improve patch and security management
• Fix and improve compliance with regulatory requirements and security standards

Common Internal Vulnerability Risks Found

Internal scans can uncover a range of serious threats:

• Unauthorized PCs and mobile devices
• IoT devices (Wi-Fi TVs, etc.) and connected industrial equipment
• Vulnerable password practices
• Unauthorized access levels
• Unauthorized data disclosure
• Insufficient system maintenance
• Non-protected computer stations
• Insecure internal network applications

When Should You Do an Internal Vulnerability Scan?

Internal vulnerability scans are essential for maintaining your organization’s internal network security, systems, and applications. They simulate potential attacks from insiders, compromised devices, or accounts. Large organizations must regularly perform these scans to monitor their network security, as they can still be at risk due to factors like insider threats, misconfigurations, or compromised user accounts. By conducting these scans, large organizations can spot vulnerabilities and take prompt action to reduce the chances of unauthorized access and data breaches. Small organizations should also consider internal vulnerability scans, as they can uncover security weaknesses that might slip under the radar.

Regular internal scans give them an edge, allowing your organization to maintain a higher level of security and protect critical assets. Both large and small organizations must proactively identify and address vulnerabilities to strengthen defenses and safeguard valuable information.

See the Top Data Loss Prevention (DLP) Solutions

Should You Do Both?

It is advisable to do both external and internal vulnerability scans to guarantee complete protection for a company’s digital assets. Let’s explore when and why it is suitable to carry out both scans.

External scans are used to evaluate the security of a company’s networks and systems that are accessible from the outside. In order to do this, the network perimeter must be probed, public IP addresses must be checked, and potential external access points must be assessed. Organizations learn about vulnerabilities that outside attackers trying to penetrate their defenses may exploit by conducting external scans.

The goal of internal vulnerability scans, on the other hand, is to locate weak points and vulnerabilities within a company’s internal network and systems. These scans usually concentrate on items like servers, workstations, and software that are located inside the company’s network borders. Even if they are not immediately accessible to the internet, enterprises can identify particular security holes and configuration errors that may be present inside the network by executing vulnerability scans.

Why then should we run both kinds of scans? It’s because they cover different aspects of the security environment and have different functions.

External scans are essential for evaluating the security posture from the viewpoint of an adversary. Organizations can find weaknesses that might be exposed to online criminals by simulating potential external attacks. By doing so, they may improve their defenses, fix weaknesses, and lower the probability of successful assaults.

Both external and internal vulnerability scans give a more detailed picture of flaws. They assist businesses in identifying security holes that both internal and external attackers might exploit in their network architecture, applications, or systems. Organizations may improve overall security posture and lower the likelihood of data breaches, illegal access, or other security events by addressing these different vulnerabilities.

When Is The Best Time to Conduct External & Internal Scans?

The best time to do these scans depends on a number of factors. Organizations should typically conduct periodic external scans to identify changes to their external attack surface and swiftly patch any newly discovered vulnerabilities. This might be carried out every month, every three months, or whenever there are network environment changes (such as infrastructure updates or website modifications).

Ideally, external and internal vulnerability scans have to be carried out often as well. The frequency may vary depending on the size, sector, legal requirements, and risk tolerance of the company. For instance, larger companies with more complicated networks could do vulnerability checks on a weekly or monthly basis, whereas smaller companies might choose to do so just once every three months. To maintain the environment’s continuing security, vulnerability checks should also be carried out following any substantial program upgrades or infrastructure modifications.

Organizations may proactively discover and resolve security gaps, both from external threats and internal vulnerabilities, by conducting external and vulnerability scans. With this all-encompassing strategy, they can strengthen their defenses, shrink the attack surface, and decrease possible risks, eventually protecting their digital assets and upholding a strong security posture.

Bottom Line: External vs Internal Vulnerability Scans

External and internal vulnerability scans are the dynamic duo that you need to protect your organization from potential threats. Internal scans go deeply into your internal systems to stop threats that could slip past your outside defenses, while external scans concentrate on bolstering your network security by simulating assaults from the outside. You can proactively find and fix vulnerabilities, improve your overall security posture, and protect your sensitive data by carrying out both types of scans.

Depending on the size and unique requirements of your firm, the frequency of these scans may vary, but ongoing evaluations are essential to keep ahead of emerging risks. Remember that you can keep your digital assets safe and maintain a powerful defense against cyberattacks by combining the capabilities of external and internal vulnerability scans.

Further reading:

• Is the Answer to Vulnerabilities Patch Management as a Service?
• Top Vulnerability Management Tools
• Top Breach and Attack Simulation (BAS) Tools

The post External vs Internal Vulnerability Scans: Difference Explained appeared first on eSecurityPlanet.

Because these tests can use illegal hacker techniques, pentest services will sign a contract detailing their roles, goals, and responsibilities. To make sure the exercise is effective and doesn’t inadvertently cause harm, all parties to a pentest need to understand the type of testing to be done and the methods used. This will not only help better test the architectures that need to be prioritized, but it will provide all sides with a clear understanding of what is being tested and how it will be tested.

Here we’ll discuss penetration testing types, methods, and determining which tests to run. For an overview of our pentest coverage, start with What Is Penetration Testing? Complete Guide & Steps.

7 Types of Penetration Testing

Here we’ll cover seven types of penetration tests. As enterprise IT environments have expanded to include mobile and IoT devices and cloud and edge technology, new types of tests have emerged to address new risks, but the same general principles and techniques apply.

Additionally, tests can be internal or external and with or without authentication. Whatever approach and parameters you set, make sure that expectations are clear before you start.

While many penetration testing processes begin with reconnaissance, which involves gathering information on network vulnerabilities and entry points, it’s ideal to begin by mapping the network. This ensures the entirety of the network and its endpoints are marked for testing and evaluation.

1. Network tests

Some organizations differentiate internal from external network security tests. External tests use information that is publicly available and seek to exploit external assets an organization may hold. On the other hand, internal tests simulate attacks that come from within. These try to get in the mindset of a malicious inside worker or test how internal networks manage exploitations, lateral movement and elevation of privileges.

Internal and external network testing is the most common type of test used. If an attacker can breach a network, the risks are very high. Penetration testers will try to bypass firewalls, test routers, evade intrusion detection and prevention systems (IPS/IDS), scan for ports and proxy services, and look for all types of network vulnerabilities.

Also read: Penetration Testing vs. Vulnerability Testing: An Important Difference

2. Social engineering tests

Social engineering is a technique used by cyber criminals to trick users into giving away credentials or sensitive information. Attackers usually contact workers, targeting those with administrative or high-level access via email, calls, social media, and other approaches.

Most cyberattacks today start with social engineering, phishing, or smishing. Organizations that want to ensure that their human security is strong will encourage a security culture and train their workers. But a fundamental component of an effective human security culture is putting it to the test. While automated phishing tests can help security teams, penetration testers can go much further and use the same social engineering tools criminals use.

Penetration testers may run these simulations with prior knowledge of the organization — or not to make them more realistic. This also allows them to test an organization’s security team reaction and support during and after a social engineering attack.

3. Web application tests

Web-based applications are critical for the operation of almost every organizations. Ethical hackers will attempt to discover any vulnerability during web application testing and make the most of it. The goal of the test is to compromise the web application itself and report possible consequences of the breach.

Web application tests include web apps, browsers, ActiveX, plugins, Silverlight, scriptlets, and applets. Languages used in the test include Java, PHP, .NET, and others. Application programming interfaces (APIs) are also part of this test, along with XML, MySQL, Oracle, and other connections and systems. If web applications are mobile, they also need to be tested in their environments.

These tests are complex due to the endpoint and the interactive web applications when operational and online. Threats are constantly evolving online, and new applications often use open-source code. This presents several challenges. Code is not always double-checked for security, and evolving threats continuously find new ways to break into web applications. Penetration testers have to take into consideration all of these elements.

See the Top Web Application Firewalls

4. Wireless networks and websites

Companies rely on wireless networks to connect endpoints, IoT devices and more. And wireless networks have become popular targets for cyber criminals. Penetration testers will verify wireless encryption protocols, check for beacons, confirm traffic, search for access points and hotspots, and MAC address spoofing.

Wireless networks are often neglected by security teams and managers who set poor passwords and permissions. Penetration testers will try to brute force passwords and prey on misconfigurations. Penetration tests also make sure the system is safe from denial-of-service (DoS) attacks, where sites are flooded with traffic to force them to crash.

Finally, as companies embark on digital transformation and modernization, threats to IoT, sensors, cameras, mobile devices, and other endpoints intensify. Hackers will try to access critical assets through any of these new points, and the expansion of the digital surface works in their favor. Therefore, penetration tests that cover wireless security must be exhaustive.

5. Physical and edge computing tests

Not every threat to a company happens remotely. There are still many attacks that can be accelerated or only done by physically hacking a device. With the rise of edge computing, as businesses create data centers closer to their operations, physical testing has become more relevant.

White hat hackers will test door security systems, access cards, locks, cameras, and sensors as well as attempt to impersonate personnel. They will also verify how safe devices, data centers, and edge computer networks are when an attacker can physically access them. These tests can also be executed with the full knowledge of the security team or without it.

6. Cloud security tests

Private and public clouds offer many benefits for companies, but they also give cyber criminals opportunities. Many organizations have business-critical assets in the cloud that, if breached, can bring their operations to a complete halt. Companies may also store backups and other important data in these environments.

While cloud vendors offer robust built-in security features, cloud penetration testing has become a must. Penetration tests on the cloud require advanced notice to the cloud provider because some areas of the system may be off-limits for white hat hackers.

Cipher explains that penetration testing in the Microsoft Cloud must comply with the Microsoft Cloud Unified Penetration Testing Rules of Engagement, and while running a pentest on Amazon Web Services (AWS), organizations must fill out the AWS Vulnerability — Penetration Testing Request Form.

Cloud penetration tests will examine security, applications and APIs, access, storage, encryption, virtual machines (VMs), operating systems (OSs) and updates, Secure Shell (SSH) and Remote Desktop Protocol (RDP) remote administration, and misconfigurations and passwords.

See the Best Cloud, Container and Data Lake Vulnerability Scanning Tools

7. Red team vs. blue team

Penetration tests often engage in a military-inspired technique, where the red teams act as attackers and the blue teams respond as the security team. This holistic approach allows for penetration tests to be realistic and measure not just the weakness, exploitations, and threats, but also how security teams react.

While some organizations hire experts to act as blue teams, those who have in-house security teams can use this opportunity to upskill their workers. Security teams can learn how to respond more rapidly, understand what an actual attack looks like, and work to shut down the penetration tester before they simulate damage.

There are many variations of red and blue team tests. Blue teams can be given information about what the attacker will do or have to figure it out as it happens. Sometimes the blue team is informed of the time of the simulation or penetration test; other times, they are not. Penetration testers can give insights on how in-house security teams are responding and offer recommendations to strengthen their actions using this technique.

Also read:

• Red Team vs Blue Team vs Purple Team: Differences Explained
• How to Implement a Penetration Testing Program in 10 Steps
• Penetration Testing Phases & Steps Explained

Penetration Testing Methods and Approaches

There are three main testing methods or approaches. These are designed for companies to set priorities, set the scope of their tests — comprehensive or limited — and manage the time and costs. The three approaches are black, white, and gray box penetration tests.

Black box penetration tests

Black box penetration tests are the most complex to execute. In these tests, the organization does not share any information with the pen tester. The tester will have to identify and map the full network, its system, the OSes, and digital assets as well as the entire digital attack surface of the company.

Due to their complexity and time-consuming characteristics, black box tests are among the most expensive. They can take more than a month to complete. Companies choose this type of test to create the most authentic scenario of how real-world cyberattacks operate.

White box penetration tests

In a white box test, the organization will share its IT architecture and information with the penetration tester or vendor, from network maps to credentials. This type of test commonly establishes priority assets to verify their weaknesses and flaws.

White box tests are also known as crystal or oblique box pen testing. They bring down the costs of penetration tests and save time. Additionally, they are used when an organization has already tested other parts of its networks and is looking to verify specific assets.

Gray box penetration tests

Gray box testing, or translucent box testing, takes place when an organization shares specific information with white hat hackers trying to exploit the system. Gray box tests usually attempt to simulate what an attack would be like when a hacker has obtained information to access the network. Typically, the data shared is login credentials.

To avoid the time and costs of a black box test that includes phishing, gray box tests give the testers the credentials from the start. These tests also simulate internal attacks. The goal of this test is not to test authentication security but to understand what can happen when an attacker is already inside and has breached the perimeter.

How to Determine What Tests to Run

The type of test an organization needs depends on several factors, including what needs to be tested and whether previous tests have been done as well as budget and time. It is not recommended to begin shopping for penetration testing services without having a clear idea of what needs to be tested.

Each type of test is designed for a specific purpose. The first question any organization needs to ask is what assets are business-critical for their operations. Once the critical assets and data have been compiled into an inventory, organizations need to look into where these assets are and how they are connected. Are they internal? Are they online or in the cloud? How many devices and endpoints can access them?

Knowing what is critical for operations, where it is stored, and how it is interconnected will define the type of test. Sometimes companies have already conducted exhaustive tests but are releasing new web applications and services. In this case, they should consider running white box tests to only test the latest apps. Penetration testers can also help define the scope of the trials and provide insights into the mindset of a hacker.

Bottom Line: Types of Penetration Testing

Ultimately, the types of penetration tests you choose should reflect your most important assets and test their most important controls. Well chosen test parameters can give you the most important information you need — while leaving some budget for the inevitable cybersecurity improvements a good pentest report will recommend.

It’s essential that penetration tests not just identify weaknesses, security flaws, or misconfigurations. The best vendors will provide a list of what they discovered, what the consequences of the exploit could have been, and recommendations to strengthen security and close the gaps. Penetration tests play a vital role in cybersecurity and have proven critical for businesses to keep up to date with the ever-evolving global threat landscape.

Next: See the Best Penetration Testing Tools and the Top Open Source Penetration Testing Tools

The post 7 Types of Penetration Testing: Guide to Pentest Methods & Types appeared first on eSecurityPlanet.

“This implies that adversaries can execute around 150 different techniques that will be undetected by the SIEM,” says the CardinalOps report. “Or stated another way, SIEMs are only covering around 50 techniques out of all the techniques that can potentially be used by adversaries.”

The Third Annual Report on the State of SIEM Detection Risk by detection posture management vendor CardinalOps is based on analysis of configuration metadata from a wide variety of SIEM instances, including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, across verticals that include banking and financial services, insurance, manufacturing, energy, media and telecom, professional and legal services, and managed security services providers (MSSPs) and managed detection and response (MDR) vendors.

See the Top SIEM Solutions

Misconfigured SIEM Rules

The researchers also found that 12 percent of all SIEM rules are broken and will never fire due to issues like misconfigured data sources, missing fields, and parsing errors.

“Worse, organizations are often unaware of the gap between the theoretical security they assume they have and the actual security they have in practice, creating a false impression of their detection posture,” the report states.

Key reasons for that gap, according to CardinalOps, include complexity, constant change, the unique nature of each enterprise, error-prone manual processes, and challenges in hiring and retaining skilled personnel.

Also read: 5 Ways to Configure a SIEM for Accurate Threat Detection

Plenty of Data, Not Enough Detections

At the same time, CardinalOps found that SIEMs already ingest enough data to cover 94 percent of all MITRE ATT&CK techniques. “This suggests we don’t need to collect more data, but rather we need to scale our detection engineering processes to develop more detections faster,” the report states.

Security layers monitored by SIEMs, according to the findings, include Windows (96 percent), Network (96 percent), Identity and Access Management (96 percent), Linux/Mac (87 percent), Cloud (83 percent), and Email (78 percent).

Still, just 32 percent monitor containers. “One explanation for this might be that, due to the dynamic nature of microservices-based application environments, monitoring them can be a hefty challenge and they are likely to bring a significant volume of data to SIEM platforms,” the report suggests. “Another explanation might be that detection engineers are challenged by the prospect of writing high-fidelity detections to alert on anomalous activity for these highly-dynamic assets.”

Key Steps to Take

The report offers four key recommendations to enhance SIEM detection coverage and quality — starting with reviewing current SIEM processes.

The other three recommendations are:

• Become more intentional about how you develop and manage detection content
• Build or refresh your use case management processes
• Measure and continuously improve

As part of the first step of reviewing current processes, the report offers a number of avenues for inquiry:

• What is the approach for finding false negatives – and what adversary techniques, behaviors, and threats are being missed?
• How are use cases managed and prioritized? “Typically, we find they’re added to the backlog via an ad-hoc process,” driven by a combination of:

• Threat analysts and threat intelligence

• Breach and attack simulation (BAS) tools

• News about high-profile attacks and vulnerabilities

• Manual pentesting

• Red teaming

• How are detections developed today and what is the process for turning threat knowledge into detections?
• How long does it typically take to develop new detections?
• Is there a systematic process to periodically identify detections that are no longer functional due to infrastructure changes, changes in vendor log source formats, etc.?

“Most organizations don’t have good visibility into their MITRE ATT&CK coverage and are struggling to get the most from their existing SIEMs,” CardinalOps CEO and co-founder Michael Mumcuoglu said in a statement. “This is important because preventing breaches starts with having the right detections in your SIEM – according to the adversary techniques most relevant to your organization – and ensuring they’re actually working as intended.”

Read next: Implementing and Managing Your SIEM Securely: A Checklist

The post Enterprise SIEMs Miss 76 Percent of MITRE ATT&CK Techniques appeared first on eSecurityPlanet.