What Your Vulnerability Scan Is Not Telling You
January 15, 2024
Love them or hate them, vulnerability scans are crucial to maintaining a strong cybersecurity posture. They have limitations to what they’re telling you.
While they’re a helpful first step to understanding your security posture, vulnerability scans are not a true measurement of risk. They can miss weaknesses and leave your company open to big threats.
Keep reading to understand the limits of a vulnerability scan and how to find the vulnerabilities it might miss.
What is a Vulnerability Scan?
Vulnerability scans tell us the known vulnerabilities that exist in an organization. It is an automated process that discovers and reports on vulnerabilities in systems, software, and networks.
By looking for exploits or flaws in software, they give you an idea of what vulnerabilities need to be fixed and whether your current patching or update process does a good job of fixing them.
Vulnerability Scan Limitations
A vulnerability scan only looks for known vulnerabilities—i.e., vulnerabilities that have been reported. Basically, it looks for a marker that a patch or upgrade has been installed.
Limitations of a vulnerability scan:
- It doesn’t know whether the patch is effective or not, which means some of your patches could be only partially mitigating a vulnerability.
- Vulnerability scanning does not provide a comprehensive report of complex attack scenarios or give visibility into the context of a vulnerability.
- They don’t test everything that other testing, like penetration testing, does, such as SaaS applications like Salesforce and Microsoft 365.
What Happens If You Miss a Critical Vulnerability
If you miss a critical vulnerability, it’s a big risk. They can leave critical data and systems exposed to attackers and the public. In turn, malicious actors can use all of this against you to infiltrate your network and compromise your systems and data.
And the cost of a successful exploit is anything but small: Missing a vulnerability could result in business downtime and even millions of dollars of damage to a company. Make sure your cybersecurity incident response plan is ready in case a successful exploit happens.
How to Uncover Vulnerabilities That a Scan Might Miss
Here are four methods our experts at ProArch recommend and use to bring context to a vulnerability scan’s results. Use these next time you perform a vulnerability scan to find threats that may still be lurking.
1. Cross-Reference Vulnerability Scan Results with Threat Intelligence Sources
Threat intelligence sources provide context, real-time information, and insights into the latest tactics, techniques, and procedures (TTPs) employed by threat actors.
These sources offer essential information about the known vulnerabilities and exploits that are actively used by attackers, as well as providing early warning alerts and warnings about emerging threats.
They can help you understand the specific threats that are relevant to your industry, technologies, and geographic location. Using this added context with the vulnerabilities found from a scan enables you to prioritize where to focus for greatest risk reduction.
Here are some threat intelligence sources to consider subscribing to:
- Infraguard
- CISA Automated Indicator Sharing
- AlienVault Open Threat Exchange
- SANS Internet Storm Center
- Cisco Talos Intelligence
2. Manually Inspect Source Code
In the case of a custom application, manual inspection of source code is crucial to identify vulnerabilities. Examining the source code helps identify common vulnerabilities at the code level, such as SQL injection, cross-site scripting (XSS), and security misconfigurations. By manually inspecting the code, you can find vulnerabilities that are specific to an application’s logic and unique features.
3. Open-Source Information Gathering
As we’ve established, analyzing outside of what scans reveal is essential, and that involves open-source information gathered from the dark web, the public web, and brand-related sources.
Information about a company's organizational structure, employee details, technology stack, and data mistakenly accessible to the public is commonly found on the public web. On the dark web, you may find things like employee credentials and specific exploit tools or techniques.
These sources will help reveal if any sensitive or proprietary information has been leaked like employee credentials.
4. Get a Penetration Test
If you're not sure where your security posture stands, investing in penetration testing (pen test) is the best way to identify vulnerabilities and risks in your environment quickly.
With a penetration test, you can answer three key questions:
- Are there vulnerabilities we don’t know about?
- Are our security investments working?
- Will we pass our next compliance audit?
Penetration testing is a best practice for continuously validating the security controls in place to ensure assets are protected. More specifically, penetration testing services is an exercise where an ethical hacker tests the security measures of a business to identify vulnerabilities and assess the effectiveness of its security defenses.
At the end of the day, vulnerability scans are an important part of maintaining security. But don’t take the results at face value. Dig into the findings, keep up with attackers’ tactics, and check your code. If any of these additional activities outside of a vulnerability scan are out of your wheelhouse, ProArch has the expertise and cybersecurity solutions to help.