Active and passive vulnerability scans - one step ahead of cyber criminals
In networked production, IT and OT are growing ever closer together. Where in the past a security gap "only" caused a data leak, today the entire production can collapse. Those who carry out regular active and passive vulnerability scans can protect themselves.
What seems somewhat strange in the case of physical infrastructure - who would recreate a break-in to test their alarm system - is a tried and tested procedure in IT to identify vulnerabilities. This so-called active scanning can be carried out daily and automatically. Passive scanning, on the other hand, detects an ongoing intrusion, because every cyber intrusion also leaves traces, albeit often hidden.
Firewalls and antivirus programmes, for example, use passive scanning to check the traffic that reaches a system. This data is then compared with a database. Information on malware, unsafe requests and other anomalies is stored there. If the firewall receives a request from an insecure sender who wants to read out the user's profile data, it rejects the request. The system itself is not aware of this, because the passive scan does not access the system, but only the data traffic.
The advantage of this is that the system does not have to use any additional computing power. Despite the scan, the full bandwidth can be used. This is particularly useful for critical components. They should have the highest possible availability. The fewer additional activities they perform, the better.
The disadvantage of passive scanning: only systems that actively communicate themselves can be seen. This does not include office software or PDF readers, for example. But even services that communicate do so primarily with their main functions. Functions with vulnerabilities that are rarely or not at all used in direct operation are not visible or are only visible when the attack is already in progress.
Active scans work differently and simulate attacks. They make requests to the system and thereby try to trigger different reactions. For example, the active scanner sends a request for data transmission to various programmes in the system. If one of the programmes reacts and forwards the data to the simulated unauthorised location, the scanner has found a security gap.
The advantage: the data quality that can be achieved with active scanning is higher than with passive scanning. Since interaction takes place directly with the software and interfaces, problems can be detected in programmes that do not normally communicate directly with the network. In this way, vulnerabilities in programmes such as Office applications are also discovered.
With direct interaction, however, systems have to process extra requests, which may then impair the basic functions of a programme. Operating technology such as machine control systems, for example, are not necessarily designed to carry out secondary activities. Here, for example, scanning under supervision and, as a supplement, continuous passive scanning are recommended.
Nevertheless, active scanning is essential for operational cyber security. This is because the risk posed by the short-term overuse of a system component is small compared to a production stoppage or a data leak. Moreover, active scans not only uncover vulnerabilities, they can also improve passive scans. For example, the vulnerabilities that are detected can be added to firewall databases. This also helps other companies that use similar systems.
Active and passive scanning work hand in hand Since the passive scanner can also provide the active scanner with helpful information, for example about mobile phones or properties of network services, one can speak of a complementary addition of these two security tools. What both have in common is that they always automatically get the best out of the given situation in the network. For the passive and active scanning techniques, it does not matter which or how many components and programmes the network consists of. Both security technologies recognise this by themselves and adjust to it. Only with a higher level of security does the optimised adjustment of network and scanners begin.
So it is not a question of whether to use one or the other. Both methods are necessary to ensure a secure network environment. A purely passive approach will not help in many cases. Proactive vulnerability management needs active scans and tools to manage them. This is what Greenbone's vulnerability management products offer.