Copyright Goodheart-Willcox Co., Inc. 74 Security Essentials ■ ■ An active scanner simulates attacks and threats, and if the scanner’s configura- tion options allow, it can respond to a potential threat in real time. Most commercial vulnerability scanners provide options to select the level of intrusiveness desired in a scan. A scanner performs a non-intrusive or intrusive test. ■ ■ A non-intrusive test is one in which a system is scanned without causing harm to its target. This could involve searching for keys in the registry, open ports, missing software patches, and similar vulnerabilities. During this type of scan, the scanner reads and records the requested information. ■ ■ An intrusive test is one in which the scanner tries to exploit vulnerabilities. A script automates the attack to prove the target is vulnerable. Intrusive scanning could have a major impact on a system or network being scanned. For example, the scan may cause business functions to be disabled. Even worse, a target could be left vulnerable if the attack is successful. Vulnerability Scanning Techniques Vulnerability scanners are not limited to identifying vulnerabilities in operating sys- tems they also enable users to scan applications, web applications, and networks to identify potential problems. ■ ■ Application scanning is scanning software applications to identify weak configurations, out-of-date software patches, and other vulnerabilities. Some application scanners can also scan mobile applications running on iOS or Android platforms to identify vulnerabilities related to malware, personal e-mail and data leakage, weak encryption implementations, and other vulnera- bilities specific to mobile platforms. ■ ■ Web application scanners are tools that scan web applications for web-based vulnerabilities, such as scripting attacks, dangerous files, out-of-date versions, and unsecure configurations. ■ ■ Network vulnerability scanners are vulnerability scanners that focus on potentially vulnerable network activities. Network vulnerability scanners identify preventive measures in an organization. Often, these scanners monitor firewalls, ports, and servers and conduct packet analysis. This type of scanning can identify unusual traffic by comparing current traffic with historical data and identifying open ports. ■ ■ A configuration-compliance scanner is a security configuration assessment that determines if a target’s configuration settings comply with an organi- zation’s configuration guidelines. This type of scan is different from simply locating vulnerabilities on a system, such as outdated patches. Similar to a vulnerability scanner, configuration-compliance scanners help assess or affirm a company’s security posture by identifying potential flaws with system harden- ing policies. Scanner Output A vulnerability scanner identifies weaknesses in a system. However, there can be false positives and false negatives that occur. False positives occur when a scanner registers a vulnerability when none is present. False negatives occur when a scanner is unable to find vulnerabilities when there really are vulnerabilities present. Scan output identifies missing internal security controls, which could include a lack of up-to-date security patches and no installed firewall or antivirus software. Security controls are tools or processes used to reduce risk to assets by slowing, min- imizing, or stopping a threat. Scanning a system with these tools can also identify 1.7 TECH TIP When choosing a vulnerability scanner, consider the fact that for-purchase commercial products often provide deeper scans and better reporting sys- tems than free or open-source scanners. 1.7 1.7, 4.3