A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment, and predicts the effectiveness of countermeasures.
A vulnerability scan may be performed by an organization’s IT department or a security service provider, possibly as a condition imposed by some authority. An Approved Scanning Vendor (ASV), is a service provider that is certified and authorized by the Payment Card Industry (PCI) to scan payment card networks.
A vulnerability scanner runs from the end point of the person inspecting the attack surface in question. The software compares details about the target attack surface to a database of information about known security holes in services and ports, anomalies in packet construction, and potential paths to exploitable programs or scripts. The scanner software attempts to exploit each vulnerability that is discovered.
There are two approaches to vulnerability scanning; authenticated and unauthenticated scans. In the unauthenticated method, the tester performs the scan as an intruder would, without trusted access to the network. Such a scan reveals vulnerabilities that can be accessed without logging into the network. In an authenticated scan, the tester logs in as a network user, revealing the vulnerabilities that are accessible to a trusted user, or an intruder that has gained access as a trusted user.
Vulnerability Scan Types
All vulnerability scan services are backed by certifications, including:
- ASV – Approved Scanning Vendor
- QSA – Qualified Security Assessor
- PA-QSA – Payment Application Qualified Security Assessor
- QSA (P2PE) – Qualified Security Assessor for Point-to-Point Encryption
- PA-QSA (P2PE) – Payment Application Qualified Security Assessor for Point-to-Point Encryption
- PFI – PCI Forensic Investigator