Tactical Advice

The Pros and Cons of Vulnerability Scanning

Passing a scan does not necessarily guarantee your company’s security.

Vulnerability scanning is a staple of information security, but no software is perfect. Vulnerabilities are discovered on a daily basis — possibly exposing critical systems or data to exploit and compromise — so it is essential that IT admins identify those vulnerabilities and manage the associated risks. However, it is equally imperative that IT admins not fall for the trap of assuming that passing a vulnerability scan guarantees security.

There are different types of vulnerability scanners that operate at different levels of invasiveness. Some simple scanners just check the Windows Registry and software version information to determine whether the latest patches and updates have been applied. More comprehensive vulnerability scanning involves actually poking and prodding the system to determine whether it is truly vulnerable.

In either case, vulnerability scanners are a bit like antivirus software. They rely on a database of known vulnerabilities and are only as valid as the latest update. Checking your systems using outdated or inferior vulnerability scanning software can provide a false sense of security and offers little solace against current threats.

"The problem is that what you want to do is prove something is secure, which you can't do by any amount of testing for vulnerabilities,” says Marcus Ranum, chief security officer of Tenable Security. “We need software and operating systems that offer reasonable guarantees of integrity, but instead we've got plug-and-play USB, auto-run, etc.”

The result can become a game of Whac-A-Mole — an endless cycle of identifying vulnerabilities and then racing against the clock to patch them before attackers develop exploits for them.

"I certainly agree that vulnerability scanning isn't a silver bullet,” says Gordon "Fyodor" Lyon, creator of Internet security resource site NMap. “But firewalls won't solve all your problems either; both are important components of any network security strategy.”

Stressing the value of vulnerability scanning, Lyon also points out that attackers looking to infiltrate and compromise networks are using vulnerability scanners to identify weaknesses. So, even if a vulnerability scan is not a perfect security solution, it is at least a tool that can help proactively identify issues and resolve them before attackers have a chance to exploit them.

Ranum agrees that vulnerability scanning is a valuable tool. But he stresses that having a vulnerability scanner that is capable of detecting poor code, though it helps, is not a substitute for secure coding practices.

An Ongoing Process

Still, it is crucial for IT admins to understand that they can't scan for a negative. In other words, a vulnerability scan might prove that a network or PC is protected against the vulnerabilities scanned for, but that doesn't mean it is completely secure.

Think of it as similar to locking down a building. You can walk around and verify that all the doors and windows you are aware of are locked. However, an attacker could still find a door or window that you missed or come in through the air ducts. In other words, all you can say for sure is that the doors and windows you checked are secure, but you can't guarantee that there is absolutely no way into the building.

Gary Davis, senior group manager for McAfee's Risk and Compliance group, explains that vulnerabilities are constantly surfacing, so vulnerability scanning has to be performed on a regular basis. “It's like brushing your teeth — just because you did it yesterday doesn't mean you don't have to do it today as well.”

However, Davis also points out that the results of a vulnerability scan are only as valuable as the willingness of the IT admin to accept the results and act on them. Simply identifying vulnerabilities might be enlightening, but in and of itself it does very little to reduce your risk or improve your security, he adds.

In fact, depending on which compliance mandates your company falls under, vulnerability scanning may not be optional. For example, PCI-DSS requires periodic vulnerability scans be performed, so any organization that stores, processes or transmits credit card data is expected to perform vulnerability scans.

Sign up for our e-newsletter

About the Author

Tony Bradley

Tony Bradley

Tony Bradley writes and blogs on network security and other technology topics. You can follow Tony on his Facebook page, or contact him by e-mail at tony_bradley@pcworld.com. He also tweets as @TheTonyBradley.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.