A vulnerability assessment scanner takes a hacker's view of the network. It automatically scans systems and services on the network and simulates common intrusion or attack scenarios. In essence, it answers the question, "What can a hacker see and exploit on the network?" (In contrast, so-called host-based scanners assess system-level vulnerabilities such as file permissions, user account properties, and registry settings.) Therefore, a vulnerability assessment scanner should be capable of:

• Safely testing the entire network for security vulnerabilities and providing recommendations on how to fix them
• Scanning multiple operating systems, including Unix, Linux, Windows 2000, and NetWare
• Staying current with the very latest vulnerability signatures and alerts
• Displaying scan progress with a real-time graphic view, revealing the root cause of vulnerabilities
• Providing customizable management reports for a range of audiences

The importance of a scanner keeping current with the latest vulnerabilities cannot be underestimated. Successful defense against the new generation of blended threats - such as Slammer and Code Red -- requires a combination of steps and security functions. This includes use of an antivirus product, firewall technology, a security policy compliance tool (for identifying inadequate patch levels, finding unneeded services, and discovering weak passwords), intrusion protection solutions, as well as a vulnerability assessment scanner. Blended threats are expected to appear with increased regularity and growing complexity, and an integrated strategy represents an enterprise's best bet to address security at each tier of the network (i.e., client, server, and gateway).

Scanning and reporting

A comprehensive vulnerability scan begins by "discovering" all of the active devices on the network. This is followed by a port scan, which identifies ports in listening mode as well as those that may have exploitable active services. Full scans check for open TCP and UDP ports and examine network services (such as DNS and FTP). These scans will also check operating systems and application software for unauthorized modifications and for known problems that can be fixed by patches.


Next, the scanner analyzes the data and generates a report detailing potential vulnerabilities and fixes. A scanner should display data in real time as it scans, then provide appropriate reports so administrators don't have to search through volumes of data. Beware of scanners that flood you with hundreds of pages of potential problematic symptoms (or too many "false positive" reports). A scanner should illustrate the cause of a problem, the risk it poses, and make recommendations on how to eliminate it. As for the reports themselves, you should be able to tailor them for a range of audiences, both technical and executive, and be able to export them to a variety of formats, such as Word, Excel, and HTML.

In or out?

Several factors must be considered if you plan to undertake vulnerability assessment scanning, including whether to do the job in-house. Today companies are increasingly considering turning to a managed security services provider (MSSP) to handle the task. Any organization considering partnering with an MSSP should first ask the following questions:

• Does the MSSP under consideration have sufficient consultants to assist onsite and to assist in implementing any recommendations?
• Does the provider or its partners have the national or global reach required by your company?
• Does the provider have sufficient financial wherewithal to survive varying economic climates?

Timeliness is key