CAS Modbus Scanner – Chipkin Automation Systems

Download the Modbus Scanner FREE!! Or,
for more information, CONTACT US!

What is the CAS Modbus Scanner?

CAS Modbus Scanner is a utility to retrieve coils, inputs, holding registers, and input registers from a Modbus-enabled device. Values retrieved from the device can be viewed in many different formats, including Binary, HEX, Uint16, Int16,
Uint32, Int32, and Float32.

This utility can also discover Modbus devices on your network if you do not know their address. It works by testing every address, function, length, and offset to check for exceptions or responses.

FEATURES

Downloads

Please Read the License Agreement before downloading this utility.

Executable (5mb)

Datasheets

Manuals, Datasheets and Resources

Modbus for Field Technicians (Free!)

Learning about Modbus? Want to update your Modbus knowledge? This free EBook will guide you through basic and advanced Modbus topics.

You can purchase a hardcopy of this book from Amazon or you can download the Modbus for Field Technicians for free from our website.

APPLICATION and System Requirements

Use the CAS Modbus Scanner to find the correct port settings and the correct slave address. The tool automates the process of trying all the combinations and reports the results.

The tool works for RS232 and RS485 by allowing you to search for a single device or multiple slaves. To connect to a RS485 network from your laptop you simply need a USB-to-485 converter.

Thanks for choosing Chipkin’s protocol gateways, data clients, and integration services to meet your building and industrial automation requirements!

Chipkin™ is a building and industrial automation protocol expert. We develop, configure, install and support gateways (protocol converters), data loggers and remote monitor and controlling applications. Founded in October 2000, Chipkin provides
expert solutions for converting BACnet®, Modbus®, and LonWorks®—to name just a few—and enabling interfaces for HVAC, fire, siren, intercom, lighting, transportation and fuel systems. The high-quality products we offer (including those from
other vendors) interface with Simplex™, Notifier™, McQuay™, GE™ and many others—so you can rest assured that we will select the most appropriate solution for your application.

With Chipkin you are buying a solution. Our configuration expertise in this field combined with free BACnet and other tools ensure your success; and our customer support via phone, e-mail, and remote desktop tools means that we’re there when you
need us. Chipkin is a small responsive company, and we live or die by the quality of our service—and with offices in two-time zones—we can provide support when you need it. Give us a call now!

Customer Support

Chipkin is proud to provide support for the products we sell. For technical support, sales, and customer service, please contact us at 1 (866) 383-1657

Scanning on Demand | Document Scanning and Storage Service

CAS document scanning and digitisation service enables you to store the hard copies of your documents safely and securely off-site at our state-of-the-art storage facilities — and request a digital copy of each document as you need it. You don’t have to scan all your documents in one go to benefit from safe, secure archive storage and fast digital retrieval. With our scan-on-demand service you can request a digital copy of any document you need, whenever you need it.

The benefits of our scan-on-demand and archive scanning services include:

On-Demand Scanning – Enjoying ‘on demand’ access to a digital copy of the documents you need, when you need them – there’s no need to pay to scan documents that you might never need to see digitally.

Pinpoint Accuracy

Ensuring that your files can be pinpointed wherever they are in our warehouse thanks to our state of the art RFID barcoding and document tracking system, so that they are easy to access and scan as the need arises.

Security

Knowing that all your documents are being stored in high security, fire-proofed warehousing by a company with industry-leading accreditation, whether you need digital or hard copies of the documents.

Fast Access

Getting fast access to a digital version of your document with our express service, which guarantees a two-hour turnaround time, should you need to view a document urgently.

Cost Savings

Lowering your costs compared to on-site document storage, as you free up valuable office space, while gaining easy access to digital copies of the documents you need.

How Scan-on-demand works

Every organisation has some documents which it needs to keep in order to comply with regulations, but which nobody needs to view regularly in a digital format. You can make cost-effective use of your archived documents by choosing scanning on demand, and having us scan only those documents that you will actually need. For all other documents, which you might only need to call up as hard copies on rare occasions, you can benefit from CAS archive storage.

Once you have indicated that you need a digital copy of a file, it is prepared for scanning by our experienced document management professionals. They remove extraneous items such as paper clips and staples, and individually scan each page including any additional items such as added notes and post-its. After they are scanned, the files are coded and the digital record added to your virtual record library. The original records are then returned to their storage box.

Did you know? CAS offer a wide range of robust document storage boxes, Lloyd George medical records boxes and document storage bags.

Whichever of our warehouses your files are stored in, and wherever you are in the world, you can access the scan-on-demand document you’ve requested digitally, either via our secure CAS-Cloud or by having it sent straight to your email inbox. When the situation demands it, you can also benefit from fast access to your documents with our express service, where we guarantee a two-hour turnaround time for urgent requests. Find out more about CAS-Cloud.

Sending scanned copies or documents in electronic form does not prevent the initiation of disciplinary proceedings

Lawyers noted that in the current realities, filing a document by e-mail is inevitable. One of them pointed out that frequent situations are unlikely to arise when a complaint, submission or appeal received in electronic form is sent by an inappropriate person, especially since this will be identified and verified in the future. The second believes that the condition of verification should be mandatory, and not depend on the discretion of the regional chambers of lawyers.

The clarification of the Commission of the Federal Chamber of Lawyers of the Russian Federation on Ethics and Standards, approved by the Council of the FBA on July 8, regarding the filing of complaints, submissions, appeals for initiating disciplinary proceedings in electronic form, has been published.

In the document, the IES responded to the request of the Council of the Presidential Administration of St. Petersburg on whether those specified in Art. 20 KPEA complaint, submission, appeal with admissible grounds for initiating disciplinary proceedings, if they were received by the Chamber of Lawyers by e-mail in the form of an electronic document or an electronic image of the document.

Explaining, the Commission proceeded from the fact that an electronic document means a document created in electronic form and signed with an electronic signature, and an electronic image of a document means a scanned copy of a document made on paper.

The Commission noted that the CPEA distinguishes two forms of submission of information by participants in disciplinary proceedings during the consideration of a disciplinary case: oral and written. Referring to the fact that, in accordance with the provisions of the Code of Civil Procedure, the Arbitration Procedure Code and the CAS, the documents refer to the written form of submission of information, the EC came to the conclusion that the filing of a complaint, presentation, appeal in the form of an electronic document or a scanned copy does not indicate non-compliance with the requirement of paragraph 2 Art. 20 KPEA.

However, the clarification emphasizes that the applicant must be properly identified. In this regard, on April 22, 2013, the VI All-Russian Congress of Lawyers supplemented clause 1 of Art. 21 of the KPEA indicating that the ten-day period for initiating disciplinary proceedings may be extended up to a month. Identification may be required, for example, if the document comes from an e-mail address whose owner is unknown to the Chamber of Lawyers, the IES concluded.

In a commentary to AG, Vahram Shiroyan, chairman of the Commission for the Protection of the Rights of Lawyers of the City Administration of Sevastopol, noted that from the standpoint of today, an electronic form of appeal is inevitable. “At first glance, the received electronic document may raise doubts, but it is unlikely that frequent situations will arise when a complaint, submission or appeal received in electronic form will be sent by an inappropriate person, especially since this will be further identified and verified,” – he explained.

According to Svetlana Tarasyuk, attorney at Polkovnikov, Tarasyuk & Partners, modern realities dictate their own rules, in particular, the digital world is expanding its borders and invading new areas of activity everywhere. This trend did not bypass both the legal profession as a whole and (which is quite predictable in the context of the anti-epidemiological measures taken) disciplinary proceedings.

Recognizing as an acceptable reason for initiating disciplinary proceedings an appeal sent by e-mail in the form of an electronic document or an electronic image of a document, the ESS of the FPA nevertheless drew the attention of the chambers of lawyers to the need to verify complaints, submissions, appeals received in the form of an electronic document (an electronic image of a document) through proper identification of the applicant. Therefore, Svetlana Tarasyuk emphasized, the mere fact of filing a complaint, presentation, appeal in electronic form does not entail the mandatory initiation of disciplinary proceedings, but can only be an acceptable reason for it, provided that the applicant is identified.

“At the same time, the IES reserves the right for the chambers of lawyers to independently determine the methods and measures for verifying documents, indicating only that these measures must be reasonable. At the same time, I would like the condition of verification of complaints, appeals, statements that are the reason for initiating disciplinary proceedings to be mandatory, and not depend on the discretion of the regional chambers of lawyers, which would serve as a kind of guarantee for the protection of a lawyer from unreasonable disciplinary prosecution,” she noted .

we scan the network ourselves / Sudo Null IT News

In the light of recent events in the world, many companies have switched to remote work. At the same time, in order to maintain the efficiency of business processes, applications that are not intended for direct placement on the perimeter, for example, internal corporate web applications, were placed on the network perimeters, our study was recently on this topic. If there is no close connection between IT and IS services, situations arise when a business application appears on the network perimeter, about which the IS service has no information.

A solution to these problems can be periodic surveys of the perimeter of the organization. Network scanners, IoT search engines, vulnerability scanners and security analysis services are suitable for solving the problem. Further in the article, we will consider the types and parameters of scanning, their advantages and disadvantages, tools that are often used, and methods for processing results.

Ping scan

The first type of scanning considered is ping scanning. The main task is to detect “live” nodes in the network. Ping scanning refers to the broadcast of ICMP packets. The scanner sends Echo REQUEST packets to the specified IP addresses and expects Echo REPLY packets in response. If a response is received, the host is considered to be present on the network at the specified IP address.

ICMP is widely used by network administrators for diagnostic purposes, so it is important to properly configure perimeter security to avoid disclosing host information. For corporate networks, this type of scanning is not relevant for external scanning, because most protection tools block the ICMP protocol or responses using this protocol by default. In the absence of non-standard tasks in the corporate network, the following types of ICMP messages are usually allowed to exit: Destination Unreachable, Echo REQUEST, Bad IP header, and Echo REPLY, Destination Unreachable, Source Quench, Time Exceeded, Bad IP header are allowed to enter. Local networks do not have such a strict security policy, and attackers can use this method when they have already penetrated the network, but this is easily detected.

Port scan

Let’s combine TCP scanning and UDP scanning under the general name – port scanning. Scanning with these methods determines the available ports on the nodes, and then based on the obtained data, an assumption is made about the type of operating system used or the specific application running on the target node. Port scanning refers to exploratory attempts to connect to external hosts. Let’s consider the main methods implemented in automated network scanners:

1. TCP SYN,
2. TCP CONNECT,
3. UDP scan.

The TCP SYN method is the most popular, used in 95% of cases. It is called a half-open connection scan because the connection is not fully established. A SYN message is sent to the port under investigation, then a response is awaited, on the basis of which the status of the port is determined. SYN/ACK responses indicate that the port is listening (open), while RST response indicates that it is not listening.

If no response is received after several requests, then network traffic to the destination host port is filtered by firewalls (hereinafter we will use the term “port filtered”). Also, a port is marked as filterable if an ICMP message with a Destination Unreachable error and certain codes and flags is received in response.

The TCP CONNECT method is less popular than TCP SYN, but still common in practice. When implementing the TCP CONNECT method, an attempt is made to establish a TCP connection to the required port with the handshake procedure. The procedure consists in the exchange of messages for negotiating connection parameters, that is, service messages SYN, SYN / ACK, ACK, between nodes. The connection is established at the operating system level, so there is a chance that it will be blocked by the protection tool and get into the event log.

UDP scan is slower and more difficult than TCP scan. Due to the specifics of scanning UDP ports, they are often forgotten, because the total time for scanning 65,535 UDP ports with standard parameters per node takes up to 18 hours for most automated scanners. This time can be reduced by parallelizing the scanning process and in a number of other ways. You should pay attention to finding UDP services because UDP services communicate with a large number of infrastructure services that are typically of interest to attackers.

UDP services DNS (53), NTP (123), SNMP (161), VPN (500, 1194, 4500), RDG (3391) are often found on network perimeters. Less common services like echo (7), discard (9), chargen (19), as well as DAYTIME (13), TFTP (69), SIP (5060), NFS services (2049), RPC (111, 137-139 , 761 and others), DBMS (1434).

An empty UDP header is sent to determine the status of the port, and if an ICMP Destination Unreachable reachability error with the code Destination port unreachable is returned, this means that the port is closed; other ICMP reachability errors (Destination host unreachable, Destination protocol unreachable, Network administratively prohibited, Host administratively prohibited, Communication administratively prohibited) mean that the port is being filtered. If the port replies with a UDP packet, then it is open. Due to the specifics of UDP and packet loss, requests are repeated several times, usually three or more. Typically, if no response is received, the status of the port is determined to be “open” or “filtered” because it is not clear whether the cause is traffic blocking by the security tool or packet loss.

To accurately determine the status of the port and the service running on the UDP port, a special payload is used, the presence of which should cause a certain reaction in the application under study.

Rare scanning methods

Methods that are practically not used:

1. TCP ACK,
2. TCP NULL, FIN, Xmas,
3. “Lazy scanning”.

The direct purpose of the ACK-scan method is to reveal the protection rules, as well as to determine the ports to be filtered. Only the ACK flag is set in the request packet for this type of scan. Open and closed ports will return an RST packet, since the ports are reachable by ACK packets, but the state is unknown. Ports that do not respond or send back an ICMP Destination Unreachable message with certain codes are considered filterable.

The TCP NULL, FIN, Xmas methods are to send packets with disabled flags in the TCP header. A NULL scan sets no bits, a FIN scan sets the TCP FIN bit, and an Xmas scan sets the FIN, PSH, and URG flags. The methods are based on the feature of the RFC 793 specification, according to which, when the port is closed, an incoming segment that does not contain RST will cause RST to be sent in response. When the port is open, there will be no response. An ICMP reachability error means the port is being filtered. These methods are considered more stealthy than SYN scanning, but less accurate because not all systems adhere to RFC 79.3.

Lazy scanning is the most stealthy of the methods, because it uses another host for scanning, called a zombie host. The method is used by attackers for reconnaissance. The advantage of this scan is that the status of the ports is determined for the zombie host, so by using different hosts it is possible to establish trusted links between hosts on the network. A full description of the method is available here.

Vulnerability identification process

Under the vulnerability we mean a weak point of the host as a whole or its individual software components, which can be used to implement an attack. In a typical situation, the presence of vulnerabilities is explained by errors in the program code or the library used, as well as configuration errors.

The vulnerability is reported to MITER CVE and details are published to NVD. The vulnerability is assigned a CVE ID and an overall CVSS score that reflects the level of risk the vulnerability poses to the end system. Read more about vulnerability assessment in our article. The centralized MITER CVE list is a benchmark for vulnerability scanners, because the task of scanning is to detect vulnerable software.

A configuration error is also a vulnerability, but such vulnerabilities rarely get into the MITER database; however, they still end up in the knowledge bases of scanners with internal identifiers. Other types of vulnerabilities that are not in MITER CVE also get into the knowledge bases of scanners, so when choosing a tool for scanning, it is important to pay attention to the expertise of its developer. The vulnerability scanner will poll hosts and compare the collected information against a database of vulnerabilities or a list of known vulnerabilities. The more information the scanner has, the more accurate the result.

Let’s take a look at the scan options, types of scans, and how to detect vulnerabilities using vulnerability scanners.

Scan settings

In a month, the perimeter of the organization can change several times. By scanning the perimeter in the forehead, you can spend time during which the results become irrelevant. With a strong increase in the scanning speed, services may “fall”. It is necessary to find a balance and choose the right scan parameters. The time spent, the accuracy and relevance of the results depend on the choice. In total, you can scan 65,535 TCP ports and the same number of UDP ports. In our experience, the average company perimeter that falls into the scanning pool is two full class “C” networks with a mask of 24.

Main parameters:

1. number of ports,
2. scan depth,
3. scan speed,
4. Vulnerability detection options.

By the number of ports, scanning can be divided into three types – scanning on the entire list of TCP and UDP ports, scanning on the entire list of TCP ports and popular UDP ports, scanning of popular TCP and UDP ports. How to determine the popularity of a port? In the nmap utility, based on statistics collected by the utility’s developer, the top thousand most popular ports are defined in the configuration file. Commercial scanners also have preconfigured profiles with up to 3500 ports.

If the network uses services on non-standard ports, they should also be added to the list of scanned ones. For regular scanning, we recommend using the medium option, which scans all TCP ports and popular UDP ports. This option is the most balanced in terms of time and accuracy of results. When conducting penetration testing or a full network perimeter audit, it is recommended to scan all TCP and UDP ports.

An important note: you will not be able to see the real picture of the perimeter when scanning from the local network, because the firewall rules for traffic from the internal network will apply to the scanner. Perimeter scanning must be carried out from one or more external sites; it makes sense to use different sites only if they are located in different countries.

Scan depth refers to the amount of data that is collected about the scan target. This includes the operating system, software versions, information about the cryptography used for various protocols, information about web applications. At the same time, there is a direct relationship: the more we want to know, the longer the scanner will work and collect information about the nodes.

When choosing a speed, you should be guided by the bandwidth of the channel from which the scan is performed, the bandwidth of the channel being scanned, and the capabilities of the scanner. There are threshold values, exceeding which does not guarantee the accuracy of the results, the preservation of the health of the scanned nodes and individual services. Do not forget to take into account the time for which you need to have time to scan.

Vulnerability detection settings – the most extensive section of the scan settings, which determines the speed of scanning and the amount of vulnerabilities that can be detected. For example, banner checks won’t take long. Imitations of attacks will be carried out only for individual services and will also not take much time. The longest view is the web crawl.

A full scan of hundreds of web applications can take weeks, depending on the dictionaries used and the number of application entry points that need to be checked. It is important to understand that due to the peculiarities of the implementation of web modules and web crawlers, instrumental checking of web vulnerabilities will not give one hundred percent accuracy, but it can greatly slow down the whole process.

Web crawling is best done separately from regular web crawling, carefully choosing which apps to scan. For in-depth analysis, use static and dynamic application analysis tools or penetration testing services. We do not recommend using dangerous checks when performing regular scans, as there is a risk of service disruption. For details on checks, see the section on scanner operation below.

Tools

If you have ever studied the security logs of your hosts, you have probably noticed that the Internet is being scanned by a large number of researchers, online services, botnets. It makes no sense to describe in detail all the tools, we will list some scanners and services that are used to scan network perimeters and the Internet. Each of the scanning tools serves a different purpose, so when choosing a tool, you should understand why it is being used. Sometimes it is right to use multiple scanners to get complete and accurate results.

Network scanners: Masscan, Zmap, nmap. In fact, there are many more network scanning utilities, but you are unlikely to need others to scan the perimeter. These utilities allow you to solve most of the tasks related to scanning ports and services.

Internet of Things search engines, or online crawlers, are important tools for collecting information about the Internet in general. They provide a summary of host membership, certificate details, active services, and other information. With the developers of this type of scanner, you can agree to exclude your resources from the scan list or to keep information about resources for corporate use only. The most famous search engines are: Shodan, Censys, Fofa.

To solve the problem, it is not necessary to use a complex commercial tool with a large number of checks: this is overkill for scanning a couple of “light” applications and services. In such cases, free scanners will suffice. There are many free web crawlers, and it’s hard to single out the most effective ones, here the choice is rather a matter of taste; the most famous are: Skipfish, Nikto, ZAP, Acunetix, SQLmap.

To perform minimal scanning tasks and ensure “paper” security, budget commercial scanners with a constantly updated database of vulnerabilities, as well as support and expertise from the vendor, FSTEC certificates can be suitable. The most famous: XSpider, RedCheck, Scaner-VS.

Careful manual analysis will benefit from Burp Suite, Metasploit and OpenVAS tools. Google’s Tsunami Scanner has recently been released.

A separate line is worth mentioning about the Vulners online vulnerability finder. This is a large database of information security content, which collects information about vulnerabilities from a large number of sources, which, in addition to standard databases, includes vendor security bulletins, bug bounty programs, and other thematic resources. The resource provides an API through which you can collect results, so you can implement banner checks on your systems without actually scanning here and now. Or use Vulners vulnerability scanner, which will collect information about the operating system, installed packages and check for vulnerabilities through the Vulners API. Some of the functions of the resource are paid.

Security analysis tools

All commercial protection systems support the main scanning modes, which are described below, integration with various external systems, such as SIEM systems, patch management systems, CMBD, ticket systems. Commercial vulnerability analysis systems can send alerts based on different criteria and support different formats and types of reports. All system developers use common vulnerability databases, as well as their own knowledge bases, which are constantly updated based on research.

The main differences between commercial security analysis tools are supported standards, licenses from government agencies, the number and quality of implemented checks, and also the focus on a particular market, for example, support for scanning domestic software. This article is not intended to provide a qualitative comparison of vulnerability analysis systems. In our opinion, each system has its advantages and disadvantages. The listed tools are suitable for security analysis, you can use their combinations: Qualys, MaxPatrol 8, Rapid 7 InsightVM, Tenable SecurityCenter.

How security analysis systems work

Scanning modes are implemented according to three similar principles:

1. Audit, or white box mode.
2. Compliance, or testing for compliance with technical standards.
3. Pentest, or black box mode.

The main interest in perimeter scanning is the black box mode, because it simulates the actions of an external attacker who does not know anything about the nodes being examined. Below is a summary of all modes.

Audit is a white box mode that allows you to conduct a complete inventory of the network, detect all software, determine its versions and parameters and, based on this, draw conclusions about the vulnerability of systems at a detailed level, as well as check systems for the use of weak passwords. The scanning process requires a certain degree of integration with the corporate network, in particular, accounts are required for authorization on the nodes.

It is much easier for an authorized user, in the role of a scanner, to obtain detailed information about the node, its software and configuration parameters. When scanning, various mechanisms and transports of operating systems are used to collect data, depending on the specifics of the system from which the data is collected. The list of transports includes but is not limited to WMI, NetBios, LDAP, SSH, Telnet, Oracle, MS SQL, SAP DIAG, SAP RFC, Remote Engine using their respective protocols and ports.

Compliance – a mode of checking for compliance with any standards, requirements or security policies. The mode uses mechanisms and transports similar to auditing. A feature of the mode is the ability to check corporate systems for compliance with the standards that are embedded in security scanners. Examples of standards are PCI DSS for payment systems and processing, STO BR IBBS for Russian banks, GDPR for compliance with EU requirements. Another example is internal security policies, which may have higher requirements than those specified in the standards. In addition, there are update installation checks and other custom checks.

Pentest is a black box mode in which the scanner has no data other than the target address or domain name. Let’s consider the types of checks that are used in the mode:

1. banner checks,
2. simulated attacks,
3. web checks,
4. configuration checks,
5. dangerous checks.

Banner checks are based on the fact that the scanner determines the versions of the software and operating system used, and then checks these versions against the internal database of vulnerabilities. To search for banners and versions, various sources are used, the reliability of which also differs and is taken into account by the internal logic of the scanner. Sources can be service banners, logs, application responses and their parameters and format. When analyzing web servers and applications, information from error and denied pages is checked, responses from these servers and applications are analyzed, and other possible sources of information are analyzed. Scanners flag vulnerabilities found by banner inspection as a suspected vulnerability or as an unconfirmed vulnerability.

A simulated attack is a safe attempt to exploit a vulnerability on a host. Attack simulations have a low false positive rate and are thoroughly tested. When the scanner detects a characteristic characteristic of a vulnerability on the scanning target, the vulnerability is exploited. The checks use the methods necessary to detect the vulnerability; for example, an atypical request is sent to an application that does not cause a denial of service, and the presence of a vulnerability is determined by a response that is specific to the vulnerable application.

Another method: if a vulnerability is successfully exploited that allows code execution, the scanner can send an outgoing PING request or a DNS request from the vulnerable host to itself. It is important to understand that it is not always possible to check vulnerabilities safely, therefore, in the pentest mode, checks often appear later than in other scanning modes.

Web scans are the most extensive and lengthy type of scans that can be performed on detected web applications. At the first stage, the directories of the web application are scanned, parameters and fields are found where there could potentially be vulnerabilities. The speed of such a scan depends on the dictionary used to enumerate directories and on the size of the web application.

At the same stage, CMS banners and application plugins are collected, which are subjected to a banner check for known vulnerabilities. The next stage is basic web checks: searching for SQL Injection of various types, searching for flaws in the authentication system and session storage, searching for sensitive data and insecure configurations, checking for XXE Injection, cross-site scripting, insecure deserialization, loading arbitrary files, remote code execution and path traversal . The list may be longer depending on the scanning parameters and the capabilities of the scanner; usually, with the maximum parameters, the checks pass through the OWASP Top Ten list.

Configuration checks are aimed at detecting software configuration errors. They detect default passwords or iterate over a short pre-set list of passwords with different accounts. They detect administrative authentication panels and control interfaces, available printers, weak encryption algorithms, access rights errors and disclosure of confidential information through standard paths, backups available for download and other similar errors made by administrators of IT systems and information security systems.

Dangerous checks include those whose use potentially leads to a violation of the integrity or availability of data. This includes denial of service checks, SQL Injection options with options to delete data or make changes. Brute-force attacks without limiting brute-force attempts that result in an account being locked out. Dangerous checks are rarely used because of the possible consequences, but they are supported by security scanners as a means of emulating the actions of an attacker who will not worry about the safety of data.

Scan and results

We have reviewed the basic scanning methods and tools, and now we will move on to the question of how to use this knowledge in practice. First you need to answer the question of what and how to scan. To answer this question, it is necessary to collect information about external IP addresses and domain names that belong to the organization. In our experience, it’s better to separate scanning goals into inventory and vulnerability detection.

Inventory scans can be performed much more frequently than vulnerability scans. In an inventory, it is good practice to enrich the results with information about the service administrator, the internal IP address of the service if NAT is used, and the importance of the service and its purpose. Information in the future will help to quickly resolve incidents related to the discovery of unwanted or vulnerable services. Ideally, a company has a process and policy for placing services on the network perimeter, and IT and information security services are involved in the process.

Even with this approach, there is a possibility of errors due to human factors and various technical failures that lead to unwanted services on the perimeter. A simple example: a Check Point network device has a rule that translates port 443 from the internal network to the perimeter. The service that was there is outdated and decommissioned. The IT service was not informed about this, so the rule remained. In this case, the perimeter may have authentication in the administrative panel of the Check Point device or another internal service that was not planned to be placed there. At the same time, the perimeter picture did not formally change and the port is available.

To detect such changes, it is necessary to scan periodically and apply a differential comparison of the results, then a change in the service banner will be noticeable, which will attract attention and lead to the analysis of the incident.

Vulnerability fix

The first step to the correct technical implementation of the process of eliminating vulnerabilities is a competent presentation of the scan results that you will have to work with. If several heterogeneous scanners are used, it will be most correct to analyze and combine information on nodes in one place. To do this, it is recommended to use analytical systems, which will also store all information about the inventory.
The basic way to eliminate the vulnerability is to install updates. You can use another method – remove the service from the perimeter (in this case, you still need to install security updates).

You can apply customization compensatory measures, that is, exclude the use of a vulnerable component or application. Another option is to use specialized protection tools, such as IPS or an application firewall. Of course, it is more correct to prevent the appearance of unwanted services on the network perimeter, but such an approach is not always possible due to various circumstances, especially business requirements.

Vulnerability remediation priority

The priority of addressing vulnerabilities depends on the internal processes in the organization. When working to fix vulnerabilities for the network perimeter, it is important to have a clear understanding of why the service is on the perimeter, who administers it, and who owns it. First of all, you can eliminate vulnerabilities on the nodes that are responsible for the company’s critical business functions. Naturally, such services cannot be removed from the perimeter, but compensatory measures or additional protections can be applied. With less significant services, it is easier: they can be temporarily removed from the perimeter, slowly updated and returned to service.

Another way is to prioritize remediation by danger or number of vulnerabilities on the host. When 10–40 suspicions of a vulnerability from a banner check are found on a node, it makes no sense to check whether they all exist there, first of all, this is a signal that it is time to update the software on this node. When there is no opportunity for renewal, compensatory measures need to be worked out. If your organization has a large number of nodes where vulnerable software components are found for which there are no updates, then it’s time to think about moving to software that is still in the update (support) cycle. There may be a situation where updating the software first requires updating the operating system.