Protecting your network is an essential part of network maintenance. One of the ways you can keep your network safe is by performing regular vulnerability scans. A vulnerability scan is an assessment that checks for vulnerabilities, or weak spots, in your computer, server, network, or infrastructure.
How Does it Work?
One of the most common ways to perform a vulnerability scan is using software created to find those weak spots. Vulnerability scanning software works by using a database of known issues and then trying to exploit those issues. A vulnerability scan should check for security holes in firewalls, services and ports, abnormal packet construction, or other gaps that could be exploited.
Once the vulnerability scan has been run, any vulnerabilities or potential security risks should be documented and reported. The report may be in the form of a spreadsheet, dashboard or another format. The reporting should provide enough information for you to be able to make an educated decision on the severity of the vulnerability, what data or system is vulnerable, and the best way to remediate it.
What to Look for in a Vulnerability Scanner
Vulnerability scanners aren’t all created equal, and some may serve your needs better than others. There are a few things that you should look for to make sure the vulnerability software you’re considering is the best one for your business.
A vulnerability scanner should be able to:
- Conduct continuous scanning and monitoring
- Conduct multiple scans simultaneously
- Keep an up-to-date vulnerability database
- Scan and monitor your assets
- Identify genuine vulnerabilities and security gaps
- Deliver minimal false positives
- Produce clear, robust reports or real-time dashboards
- Rate the risk level of vulnerabilities or otherwise help you prioritize
- Suggest remediation plans or countermeasures
- Provide trends or analytic data
- Integrate with tools you already use
How to Budget for a Vulnerability Scanner
While some vendors offer vulnerability scanning for free, the cost of vulnerability scanning software can vary from vendor to vendor. The size of your business and the complexity of your enterprise may also affect the price. Most vulnerability scanning software costs range from hundreds of dollars for a small business to thousands of dollars for a larger, more complex enterprise. You can request a quote on the vendor website to get a price that is specific to your business.
Luckily, some vendors offer free trials of their products, often ranging from two weeks to a month, so you can test out all of the features and reporting capabilities to make sure you’re getting the right product for you.
Vulnerability Scanners You Can Try for Free
This network scanning platform, Open Vulnerability Assessment System (OpenVAS) is available for free. However, the scanner doesn’t work on Windows machines, though they offer a client for Windows. This scanner has many features available and scans for vulnerabilities, supports multiple scan tasks at the same time, and scans can be scheduled. It may not be the easiest or the fastest option, and it requires Linux for the main component. But with no cost, it may be worth jumping through some hoops.
Microsoft Baseline Security Analyzer (MBSA)
Another free option is Microsoft Baseline Security Analyzer (MBSA), which can perform local or remote scans on Windows desktops and servers. It can identify missing service packs, security patches, and other common security misconfigurations. The 2.3 release supports Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012. However, there is no support for Windows 10 or Windows Server 2016. It is a free and user-friendly option, but it has some limitations. It cannot scan for advanced Windows settings, drivers, non-Microsoft software, or network-specific vulnerabilities. Nonetheless, it is a useful and free tool to help you identify general Windows-centric security risks.
Nexpose or InsightVM
With a 30-day free trial, you can try either Nexpose or Insight VM from Rapid7. Use these tools to scan networks, operating systems, web applications, databases, and virtual environments. You can install Nexpose or InsightVM on Windows, Linux, or virtual machines. Both provide a web-based GUI and a web portal where you can create sites to define the IPs or URLs you’d like to scan, select the scanning preferences, scanning schedule, and provide any necessary credentials for scanned assets. Either of these options provides an easy to set up, full-featured vulnerability scanner, though after the 30-day trial you must subscribe for a license.
The Retina security scanner from Beyond Trust is available for a free demo. It provides scanning and patching and supports a variety of assets. It provides vulnerability scanning and patching for Microsoft and third-party applications (it requires a Windows Server). It looks for network vulnerabilities, configuration issues, and missing patches. Retina is a great commercial option that you can try and test out for free, but if you’re not a Windows shop, it might not be for you.
Qualys FreeScan is a web-based vulnerability scanner that provides up to 10 free scans of URLs or local servers or machines with internet-facing IPs. It supports a few different scan types. It can do vulnerability checks for malware, SSL issues, and other network vulnerabilities. It can test web applications for vulnerabilities and OWASP risks. It can scan for and help install missing software patches. It can also check computer settings compliance against the SCAP (Security Content Automation Protocol) benchmark provided by the National Institute of Standards and Technology (NIST). However, with only 10 free scans, it’s not an option for continuous monitoring or regular use.
Vulnerability scanning is an integral part of keeping your network safe. Being able to identify and remediate vulnerabilities can help keep you one step ahead of the hackers. Hopefully, we’ve helped you figure out how to find a vulnerability scanning tool that meets your needs and fits your budget.