Introduction

Not all vulnerability scans are created equal. The configuration of a vulnerability scan makes an enormous impact on your results. Authenticated vulnerability scans will provide much greater insight into an organization’s security posture than unauthenticated scans. However, there is a place for unauthenticated vulnerability scans. This article discusses the differences between authenticated and unauthenticated vulnerability scans and when you should use each.

What are Vulnerability Scans?

Vulnerability scans are an automated process for searching devices for vulnerabilities. Vulnerability scanners are the applications or devices that perform the scans.

What are Authenticated Scans?

Authenticated scans are sometimes called “credentialed scans”. “Credentials” refers to a valid account for a system. So credentialed scans, or authenticated scans, are vulnerability scans that utilize valid accounts (username + password) to log into target systems.

Why Perform Authenticated Scans?

Imagine trying to determine if a house has a pest problem by only looking at the outside of the house. Sure, you may be able to see evidence of a pest problem, but you’ll definitely know there is a problem if you go inside. Unauthenticated scans are similar to the outside view only. Authenticated scans are similar to having the keys to the house and looking inside for problems. With an authenticated vulnerability scan, the vulnerability scanner logs into the device and performs detailed checks on the system patch level, permissions, installed applications, and more.

Scanning from Inside or Outside the Network

Scanning from the internet gives you a view of your publicly accessible devices.  It’s a good idea to scan from the outside to see what is available.  These external scans are often performed as unauthenticated scans to see how others see your devices from the internet.  However, it is still a good idea to scan these same devices from the inside as authenticated scans to get a more comprehensive view of the vulnerabilities on the system.  Additionally, internal resources should be scanned from the internal network as authenticated scans.

SNMP vs SSH Vulnerability Scans

When performing authenticated vulnerability scans on network devices or Linux systems, you often have the choice of utilizing SNMP (Simple Network Management Protocol) or SSH (Secure Shell).  Usually, SSH credentialed scans give you more comprehensive results, but it really comes down to the permissions that are given to the credentials that you are utilizing.

Should I Choose Authenticated or Unauthenticated Vulnerability Scans?

Authenticated vulnerability scans give you a more comprehensive view of the vulnerabilities within your environment.  If you have a choice, perform authenticated vulnerability scans.  If you are performing external scans, it is common to performing these as unauthenticated scans, but you should still scan these same devices from the inside of the network as authenticated scans. 

What Account Should be Used for Authenticated Scanning?

You should use a dedicated account with escalated privileges.  This account should be limited to the vulnerability scanning process and should not have the ability to use VPN, RDP, or other tasks not associated with vulnerability scanning.  This dedicated account should have a long random password with at least 20 characters.   In penetration tests, our team has compromised vulnerability scanner accounts that had weak passwords and were not limited to the scanning process on the network.

How Often Should Vulnerability Scans be Performed?

The Center for Internet Security (CIS) version 8 Guide states that automated internal vulnerability scans should be performed on assets at least quarterly.  This guide also recommends that external scans are performed at least monthly.

Should I Also Scan Internal Vendor Devices?

All of your internal assets should be scanned unless they are known to have problems with scanning.  As part of your Third-Party Risk Management (TPRM) process, your organization should work with vendors to determine if their assets on your network can be scanned.  These vendor devices should be scanned before placing them in production and then on a regular basis thereafter.

Are there any Devices that Shouldn’t be Scanned?

Some devices that are known to crash with vulnerability scans include: VOIP systems, printers, some medical devices, and certain SCADA (Supervisory Control and Data Acquisition) systems.  Always scan in a non-production environment if you’re not sure about the stability of the system and consult with the vendor as necessary.  Systems that cannot be scanned should be segmented on the network.

Conclusion

You will most likely perform both authenticated and unauthenticated scanning in your vulnerability management program. Each scan type has different uses, but authenticated scanning provides a more comprehensive analysis of a system.