2.1 Given a scenario, implement vulnerability scanning methods and concepts.
📘CompTIA CySA+ (CS0-003)
This is a very important exam topic. You must clearly understand:
- What credentialed scanning is
- What non-credentialed scanning is
- How they work
- Their advantages and disadvantages
- When to use each
- Risks and best practices
The exam may give you a scenario and ask which type of scan should be used.
1. What Is Vulnerability Scanning?
A vulnerability scan is a security process that checks systems, networks, or applications for known weaknesses.
It helps identify:
- Missing patches
- Misconfigurations
- Weak passwords
- Open ports
- Outdated software
- Security policy violations
Scanning tools compare systems against known vulnerabilities (such as those listed in CVE databases).
2. Credentialed vs. Non-Credentialed Scanning
The difference between these two methods is simple:
| Type | Access Level | View |
|---|---|---|
| Credentialed Scan | Logs into the system | Internal view |
| Non-Credentialed Scan | Does NOT log in | External view |
3. Non-Credentialed Scanning (Unauthenticated Scan)
What It Is
A non-credentialed scan is performed without logging into the system.
The scanner:
- Does not use usernames or passwords
- Scans from the outside
- Sees only what is exposed to the network
It simulates what an external attacker can see.
What It Can Detect
- Open ports
- Running services
- Web server versions
- Firewall exposure
- Public-facing vulnerabilities
- SSL/TLS configuration issues
Example in an IT environment:
- Scanning a public web server from outside the network
- Scanning a DMZ system
- Testing what is exposed to the internet
Advantages
- Safe and simple to run
- No risk of credential misuse
- Shows external attack surface
- Useful for perimeter testing
Disadvantages
- Limited visibility
- Cannot see inside the system
- May miss internal vulnerabilities
- Can generate more false positives
- Cannot check patch levels accurately
When to Use Non-Credentialed Scanning
Use it when:
- Testing external-facing systems
- Assessing firewall exposure
- Performing perimeter security checks
- Simulating attacker reconnaissance
- Auditing DMZ environments
4. Credentialed Scanning (Authenticated Scan)
What It Is
A credentialed scan uses valid login credentials to access the system.
The scanner logs into:
- Windows systems (using admin/domain credentials)
- Linux systems (using SSH credentials)
- Network devices (using SNMP or management accounts)
- Databases
- Applications
This gives the scanner internal access.
What It Can Detect
- Missing security patches
- Weak local configurations
- Insecure registry settings
- File permissions
- Installed software versions
- Password policies
- Local vulnerabilities not visible externally
Example in an IT environment:
- Scanning Windows servers using domain admin credentials
- Checking Linux servers via SSH
- Verifying patch levels on internal workstations
Advantages
- Very accurate results
- Fewer false positives
- Detects missing patches directly
- Deep visibility into system settings
- Better compliance auditing
Disadvantages
- Requires credential management
- Risk if credentials are compromised
- More complex to configure
- May impact performance slightly
When to Use Credentialed Scanning
Use it when:
- Scanning internal networks
- Performing compliance audits
- Validating patch management
- Checking configuration baselines
- Conducting internal vulnerability assessments
5. Key Differences for the Exam
You MUST understand these differences clearly.
| Feature | Credentialed | Non-Credentialed |
|---|---|---|
| Login required | Yes | No |
| Internal visibility | Yes | No |
| Patch verification | Accurate | Inferred only |
| False positives | Fewer | More |
| Attack simulation | Less realistic | More realistic |
| Risk if compromised | High (credentials exposed) | Low |
6. Patch Detection Difference (Very Important for Exam)
This is often tested.
Non-Credentialed Scan:
- Detects software version from banner or service response
- Assumes vulnerability if version matches known vulnerable version
- Cannot confirm if patch is actually installed
Credentialed Scan:
- Checks installed patch list directly
- Reads system files or registry
- Confirms whether patch is missing or installed
Credentialed scans are therefore more accurate for patch management.
7. Security Risks of Credentialed Scans
The exam may test this.
Risks include:
- Storing administrator credentials in scanning tool
- Credential theft if scanner is compromised
- Privilege misuse
- Lateral movement if credentials are reused
Best practices:
- Use least privilege accounts
- Use separate scanning accounts
- Protect scanning servers
- Rotate credentials regularly
- Use secure storage (vault)
8. Performance Impact
Credentialed scans:
- Can consume CPU and memory
- May increase disk activity
- Can impact production systems if scheduled poorly
Best practice:
- Schedule scans during maintenance windows
- Limit scan intensity
- Monitor system load
9. Compliance and Audit Perspective
For compliance standards (such as PCI, HIPAA, ISO 27001):
- Credentialed scanning is often required
- Provides proof of patch and configuration compliance
- Used in internal audits
Non-credentialed scanning:
- Often required for external vulnerability scanning
10. Internal vs. External Scanning
| Scenario | Recommended Scan |
|---|---|
| Public web server | Non-credentialed |
| Internal domain controllers | Credentialed |
| Workstations in corporate network | Credentialed |
| Firewall exposure check | Non-credentialed |
| Patch audit | Credentialed |
11. False Positives and False Negatives
Understanding this helps in exam scenarios.
Non-Credentialed:
- Higher false positives
- Might incorrectly report vulnerabilities
Credentialed:
- Lower false positives
- More reliable findings
12. Exam Scenario Thinking
If the question says:
- “Verify patch levels internally” → Credentialed
- “Simulate attacker view” → Non-credentialed
- “Check external exposure” → Non-credentialed
- “Perform compliance audit” → Credentialed
- “Reduce false positives” → Credentialed
- “Avoid storing credentials” → Non-credentialed
13. Best Practice: Use Both
In real IT environments, organizations use:
- Non-credentialed scans to see external exposure
- Credentialed scans to check internal security posture
Using both gives full coverage.
14. Important Exam Keywords to Remember
Credentialed:
- Authenticated
- Internal visibility
- Patch validation
- Compliance
- Reduced false positives
- Requires credentials
Non-Credentialed:
- Unauthenticated
- External view
- Attack simulation
- Perimeter scanning
- Higher false positives
Final Summary (Must Remember for Exam)
- Non-credentialed scan = Outside view, no login, simulates attacker.
- Credentialed scan = Inside view, logs in, accurate patch and configuration detection.
- Credentialed scans provide deeper analysis but introduce credential risk.
- Non-credentialed scans show exposure but have limited visibility.
- Best practice is to use both methods together.
