2.1 Given a scenario, implement vulnerability scanning methods and concepts.
📘CompTIA CySA+ (CS0-003)
1. What Is Asset Discovery?
Asset discovery is the process of identifying all devices, systems, and services connected to a network.
Before performing vulnerability scanning, you must first know:
- What devices exist
- Where they are located (network-wise)
- What operating systems they run
- What services and ports are open
If you do not know what assets you have, you cannot properly secure them.
For the CySA+ exam, remember:
Asset discovery is the foundation of vulnerability management.
2. Why Asset Discovery Is Important
Asset discovery helps security teams:
- Identify unknown or unauthorized devices
- Detect shadow IT (unapproved systems)
- Find forgotten systems
- Build an accurate asset inventory
- Ensure all systems are scanned for vulnerabilities
- Improve risk management
If a device is not discovered, it cannot be scanned or protected.
3. Asset Discovery Methods
For the CS0-003 exam, you must understand two key methods:
- Map scans
- Device fingerprinting
Let’s explain each clearly.
4. Map Scans
What Is a Map Scan?
A map scan is a network scanning technique used to discover:
- Active IP addresses
- Live hosts
- Open ports
- Network structure
- Subnets
- Connected devices
It creates a “map” of the network.
How Map Scans Work
A scanner sends packets (small data requests) to IP addresses in a range.
Example:
- Scan 192.168.1.0/24
- The scanner checks every address from 192.168.1.1 to 192.168.1.254
The scanner determines:
- Which IP addresses respond
- Which ports are open
- Which services are running
What Map Scans Identify
A map scan can identify:
- Servers
- Workstations
- Network printers
- Firewalls
- Routers
- Switches (if discoverable)
- Virtual machines
- Cloud-based systems (if reachable)
It helps answer:
What devices are on this network?
Types of Map Scans (Exam-Relevant Concepts)
1. Ping Sweep
- Sends ICMP echo requests
- Identifies live hosts
- Fast method
- May be blocked by firewall
2. TCP Connect Scan
- Attempts full TCP handshake
- Reliable
- More detectable
3. SYN Scan (Half-Open Scan)
- Sends SYN packet
- Does not complete handshake
- Faster and stealthier
4. UDP Scan
- Identifies UDP services
- Slower and less reliable
You don’t need deep technical detail, but you must understand:
Different scan types detect different services and behave differently.
Map Scan Output
A map scan may show:
- IP address
- Hostname
- Open ports
- Service name
- Service version (sometimes)
Example format:
IP: 192.168.1.10
Open Ports:
- 22 (SSH)
- 80 (HTTP)
- 443 (HTTPS)
This information is critical before vulnerability scanning.
Risks of Map Scanning
For the exam, remember:
- Can trigger intrusion detection systems (IDS)
- May disrupt fragile systems
- Should be authorized
- Should follow change management procedures
Unauthorized scanning may violate policy.
5. Device Fingerprinting
What Is Device Fingerprinting?
Device fingerprinting is the process of identifying:
- Operating system
- Device type
- Software versions
- Hardware characteristics
It answers:
What exactly is this device?
Why Device Fingerprinting Is Important
Knowing the IP address is not enough.
Example:
- If a device runs Windows Server, it has different vulnerabilities than Linux.
- If it is a printer, it has different risks than a database server.
Fingerprinting helps:
- Select correct vulnerability checks
- Prioritize risk
- Identify unsupported systems
- Detect rogue devices
6. Types of Device Fingerprinting
For CySA+, understand two main types:
1. Active Fingerprinting
The scanner sends packets to the device and analyzes responses.
It checks:
- TCP/IP stack behavior
- Response timing
- TTL values
- Window size
- Error messages
Based on response patterns, the scanner identifies:
- Operating system
- OS version
- Device type
Example:
- Identifies Windows Server 2019
- Identifies Linux Ubuntu
- Identifies network firewall appliance
Active fingerprinting is:
- Accurate
- Faster
- Detectable
2. Passive Fingerprinting
The scanner does NOT send packets.
It monitors existing network traffic.
It analyzes:
- Packet headers
- TCP behavior
- DHCP requests
- HTTP headers
It identifies:
- OS types
- Device roles
- Applications
Passive fingerprinting is:
- Stealthy
- Harder to detect
- Slower
- Requires network visibility
7. What Device Fingerprinting Can Identify
Fingerprinting may determine:
- Windows, Linux, macOS
- Web server software (Apache, IIS)
- Database software
- Network devices (router, firewall)
- IoT devices
- Printers
- Virtual machines
- Containers
This helps determine:
- Vulnerability exposure
- Patch requirements
- End-of-life systems
- Compliance issues
8. Asset Discovery in Vulnerability Scanning Workflow
For the exam, understand the order:
- Asset discovery
- Asset classification
- Vulnerability scanning
- Risk prioritization
- Remediation
Asset discovery always comes first.
9. Authenticated vs Unauthenticated Discovery
Though not directly under map scans, this is exam-important.
Unauthenticated Scanning
- No credentials used
- External perspective
- Shows exposed services
- Limited visibility
Authenticated Scanning
- Uses login credentials
- Internal perspective
- More accurate
- Detects missing patches
- Reads configuration details
Asset discovery is more complete with authenticated scans.
10. Common Tools Used for Asset Discovery
For exam awareness (no need for deep detail):
- Network scanners
- Vulnerability scanners
- Configuration management databases (CMDB)
- Network monitoring tools
Examples include:
- Nmap
- Nessus
- OpenVAS
You only need to recognize these as scanning tools.
11. Challenges in Asset Discovery
For CySA+, understand common problems:
- Firewalls blocking scans
- Devices blocking ICMP
- Cloud environments changing frequently
- Remote workers
- Virtual machines spinning up/down
- Network segmentation
- Encrypted traffic
Asset discovery must be continuous, not one-time.
12. Shadow IT and Rogue Devices
Asset discovery helps detect:
- Unauthorized wireless access points
- Personal devices connected to network
- Unapproved virtual machines
- Test systems left online
These create major security risks.
13. Map Scans vs Device Fingerprinting (Comparison Table)
| Feature | Map Scan | Device Fingerprinting |
|---|---|---|
| Purpose | Discover devices | Identify device details |
| Focus | Network structure | OS and software |
| Output | IPs and ports | OS, version, device type |
| Required for vulnerability scanning | Yes | Yes |
| Can be passive | No (usually active) | Yes |
Exam Tip:
Map scan = Who is there?
Fingerprinting = What are they running?
14. Key Exam Points to Remember
You must know:
- Asset discovery identifies all devices in scope.
- Map scans find active hosts and open ports.
- Device fingerprinting identifies operating systems and services.
- Active fingerprinting sends packets.
- Passive fingerprinting monitors traffic.
- Asset discovery is required before vulnerability scanning.
- Unauthorized scanning can violate policy.
- Continuous discovery is required in modern networks.
- Authenticated scans provide deeper visibility.
15. Simple Summary (Very Important for Exam)
Asset discovery is the process of identifying all devices on a network.
Map scans:
- Find live hosts
- Identify open ports
- Map network structure
Device fingerprinting:
- Identifies operating system
- Detects software versions
- Determines device type
Together, they ensure that:
- No device is missed
- Vulnerabilities are accurately identified
- Risk is properly managed
