Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Why Authenticated Scanning Matters, and How To Do It Right

Written by Thycotic Team

October 20th, 2015

Earlier this month, a few of us from Thycotic attended the Qualys Security Conference (QSC) and had the opportunity to speak at one of their spotlight sessions regarding authenticated scanning and how to do it right with Thycotic Secret Server. Amazingly, in speaking with several of the attendees there, we discovered that many of them were still not running authenticated scans to support their vulnerability analysis programs. From a security standpoint, running vulnerability scans which authenticate against the target should be an absolutely mandatory part of the program. These types of scans provide immense value over scans that are performed from a remote or non-authenticated posture. Our purpose at QSC was to share how automating and integrating privileged account management functions can make authenticated scanning even easier, give more coverage for more devices in order to run more authenticated scans, and is a more secure method of handling authentication overall. However, it became clear that we could also help those who didn’t understand the true value of authenticated scanning in the first place, or felt that it simply couldn’t be done in their organization.

To be fair, a non-authenticated scan does give you some small amount of value, as it will provide you some basic asset information about the target, give you some perspective about how the target advertises itself on your network, and can provide information about vulnerabilities on the services which face the public. But, if an attacker is able to get on the target system itself, regardless of what kind of privilege the account being used has, there is a massive amount of additional vulnerabilities that a typical system has that can be exploited. These vulnerabilities tend to be more severe as they can allow an attacker to take over the local administrator account or otherwise elevate the privilege of an account they’ve already compromised. Once done, these administrator or elevated accounts can be used to stage even larger and more broad scale attacks against your environment. The only way to get your arms around these system internal vulnerabilities and mitigate them before they are exploited by a hacker is to perform vulnerability scans which authenticate to the target with a privileged account and use that to find all of the internal vulnerabilities present.

By authenticating your vulnerability scans, you gain all of the following benefits:

  • More vulnerability detections
    • Discover many more vulnerabilities that can’t be discovered without authenticating to the target
    • Obtain vulnerability information on applications, core OS functions, and other non-remote facing components of the target system
  • More accuracy
    • Reduction in the number of false positives
    • Obtain more detailed information about remotely-discovered vulnerabilities
  • Better Reporting and Analysis
    • Get a more complete list of patch requirements
    • Increased trend analysis capability for monitoring overall security posture
    • Gain complete visibility into the state of the target system, including application inventory, system configuration and more

If your organization is running some sort of vulnerability analysis tool, but isn’t taking advantage of all of the benefits of performing those scans with authentication, you should definitely make this a higher priority in your environment. The accuracy of the information and the larger volume of data you are able to gather alone should be sufficient to make it worthwhile to do, let alone the better security posture assessment you’ll be able to perform as well. While there are some obstacles organizations face to running authenticated scans, most all of them can be resolved by leveraging automation and integration with other systems, including a privileged account management tool like Thycotic Secret Server. If your admins are concerned about giving up their credentials to the security team, Thycotic Secret Server can store them securely and ensure the security team can never see or use them, while allowing the Qualys scanners to do so automatically and seamlessly. If the issue is simply that no one knows what the administrator accounts are for all the systems on your network, you would leverage the Account Discovery function within Thycotic Secret Server to automatically query and find the accounts on all of the target systems, take control of them, and secure them so that not only your scanning tool can perform better, but your teams now can leverage these accounts as well.

The benefits are simply too great, and most organizations have the means to easily and securely handle authenticated scanning. Now is the time to look into how to get your authenticated scans up and running, and to start hardening your environment before the vulnerabilities you don’t know about end up causing the next data breach on your network.