2.1 Given a scenario, implement vulnerability scanning methods and concepts.
📘CompTIA CySA+ (CS0-003)
Vulnerability scanning is the process of identifying weaknesses in a system, network, or application that attackers could exploit. One of the key concepts in CySA+ is understanding where the scan is performed: internally or externally.
1. Internal Scanning
Definition:
Internal scanning is done from inside the organization’s network. This means the scanner has access to internal systems as if it were an employee or device already connected to the network.
Purpose:
- To identify vulnerabilities that could be exploited by insiders (employees, contractors) or malware that has already entered the network.
- To detect misconfigurations, missing patches, weak passwords, and outdated software within the internal environment.
Key Characteristics:
| Feature | Internal Scanning |
|---|---|
| Location | Inside the corporate network (LAN) |
| Perspective | Insider threat perspective |
| Access Level | Usually has higher access or authenticated scans (can log in to systems to scan deeply) |
| Common Targets | Servers, workstations, internal web applications, network devices |
| Tools | Nessus, OpenVAS, Qualys, Nexpose (with internal access) |
Example Scenario in IT Terms:
- An IT security team runs a scan on all Windows servers and employee laptops in the corporate network.
- The scan looks for missing OS patches, outdated antivirus signatures, or misconfigured file shares.
Why it matters for the exam:
- The CySA+ exam often asks you to differentiate internal vs external scans and know what type of vulnerabilities each detects.
- Internal scans usually find more vulnerabilities because they have deeper access than an external scan.
2. External Scanning
Definition:
External scanning is performed from outside the organization’s network, usually over the internet. The scanner acts like an attacker trying to penetrate the network from the outside.
Purpose:
- To identify vulnerabilities that are visible to the public or internet-facing systems.
- Helps organizations secure web servers, VPNs, email servers, and other systems exposed to the internet.
Key Characteristics:
| Feature | External Scanning |
|---|---|
| Location | Outside the corporate network (Internet) |
| Perspective | Attacker/external threat perspective |
| Access Level | Usually unauthenticated scans (no internal login) |
| Common Targets | Web servers, firewalls, VPN gateways, public IPs |
| Tools | Nessus, OpenVAS, Qualys, Nmap (with external access) |
Example Scenario in IT Terms:
- Security team scans the organization’s public web server for outdated software or unpatched vulnerabilities.
- The scan checks if ports like HTTP (80) or HTTPS (443) have weaknesses that could allow attackers to gain access.
Why it matters for the exam:
- External scans are focused on what an attacker could see from the internet.
- They help prioritize patching for systems that are exposed externally.
3. Key Differences Between Internal and External Scanning
| Aspect | Internal Scan | External Scan |
|---|---|---|
| Network Location | Inside LAN | Outside LAN (Internet) |
| Perspective | Insider/malware perspective | Attacker perspective |
| Access | Often authenticated | Usually unauthenticated |
| Vulnerabilities Found | Internal misconfigurations, missing patches, weak passwords | Internet-facing vulnerabilities, open ports, exposed services |
| Depth | Can scan deeper | Limited to what’s exposed externally |
4. How They Work Together
- Internal scans help organizations fix vulnerabilities before insiders or malware exploit them.
- External scans help organizations protect their internet-facing systems from hackers.
- Together, they provide a complete view of security.
Example in IT Terms:
- External scan shows the organization’s web server is vulnerable to SQL injection.
- Internal scan shows that employee laptops have outdated antivirus definitions that could allow malware to spread if the web server is breached.
- By combining both, the organization can patch the server and update endpoints to prevent an attack.
5. Tips for the Exam
- Remember the perspective difference:
- Internal = insider perspective
- External = attacker perspective
- Access level matters:
- Internal scans can be authenticated, deeper
- External scans are mostly unauthenticated, limited to visible services
- Use the examples for scenario questions:
- If the question mentions scanning public IPs, it’s external.
- If it mentions scanning internal workstations or servers, it’s internal.
- Tools can be the same, but context differs:
- Nessus, OpenVAS, Qualys are commonly mentioned, but how you use them depends on internal vs external.
✅ Summary in Simple Words:
- Internal scanning: Checks for problems inside the network like a security guard inspecting the building.
- External scanning: Checks for problems from the outside like a hacker looking for open doors on the network.
- Both are needed to keep systems secure.
