2.1 Given a scenario, implement vulnerability scanning methods and concepts.
📘CompTIA CySA+ (CS0-003)
When performing vulnerability scanning, it is not enough to simply run a scanner and generate a report. A cybersecurity analyst must carefully plan how and when scans are performed to avoid disrupting business operations and to ensure accurate results.
For the CySA+ exam, you must understand the following special considerations:
- Scheduling
- Operations
- Performance
- Sensitivity levels
- Segmentation
- Regulatory requirements
Let’s explain each in simple, easy-to-understand language.
1. Scheduling
What is Scheduling?
Scheduling means deciding when and how often vulnerability scans should run.
Running scans at the wrong time can:
- Slow down systems
- Interrupt users
- Crash sensitive servers
- Trigger alerts unnecessarily
Why Scheduling Is Important
Vulnerability scans:
- Send many network requests
- Check thousands of files and services
- May consume CPU, memory, and bandwidth
If you scan during peak business hours, you may:
- Slow down critical applications
- Affect customer-facing systems
- Cause performance complaints
Best Practices for Scheduling
For the exam, remember these key points:
1. Scan During Off-Peak Hours
- Nights
- Weekends
- Maintenance windows
Example (IT-related):
Scanning a production database server during business hours may slow down user queries. Instead, schedule scanning during a planned maintenance window.
2. Use Different Scan Frequencies
Not all systems need the same schedule.
- Critical servers → Scan more frequently (weekly or daily)
- Workstations → Scan less frequently
- Development/test systems → Based on change schedule
3. Event-Based Scanning
Scan when:
- A new system is deployed
- A patch is applied
- A major configuration change occurs
4. Continuous vs Periodic Scanning
- Continuous scanning: Always monitoring for vulnerabilities.
- Periodic scanning: Weekly, monthly, or quarterly.
For CySA+, understand that critical environments often require more frequent scans.
2. Operations
What Does “Operations” Mean?
Operations refers to how scanning affects normal business activities.
Security must support the business, not break it.
Key Operational Considerations
1. Change Management
Before running a scan:
- Get approval (if required)
- Inform system owners
- Follow change control procedures
Many organizations require scanning activities to be logged and approved.
2. Production vs Non-Production Systems
Production systems:
- Handle real users and business data
- Must be scanned carefully
Non-production systems:
- Used for testing
- Lower operational risk
3. Coordination with IT Teams
Security teams must coordinate with:
- Network teams
- Server teams
- Application teams
This prevents:
- False alarms
- Service disruptions
- Incident confusion
4. Credentialed vs Non-Credentialed Scans
- Credentialed scan: Uses login credentials to check inside the system.
- Non-credentialed scan: Tests from outside like an attacker.
Credentialed scans:
- Are more accurate
- Require coordination
- May affect operations if misconfigured
For the exam: Credentialed scans provide deeper visibility but require careful handling.
3. Performance
Why Performance Matters
Vulnerability scanners:
- Consume CPU
- Use memory
- Generate heavy network traffic
This can:
- Slow applications
- Overload servers
- Affect network performance
Performance Considerations
1. Scan Intensity
Scanners allow adjusting speed and depth:
- Aggressive scan → Faster but more resource usage
- Throttled scan → Slower but safer
Exam Tip:
In sensitive environments, reduce scan intensity.
2. Network Bandwidth
Large networks:
- May need distributed scanners
- Should avoid saturating WAN links
Example:
Scanning across a VPN connection can slow remote offices.
3. Large Environments
In big organizations:
- Break scans into smaller segments
- Scan subnet by subnet
- Avoid scanning entire network at once
4. Risk of Denial of Service (DoS)
Some vulnerability tests can:
- Crash unstable systems
- Trigger application failures
For CySA+, understand:
Improper scanning may cause a denial-of-service condition.
4. Sensitivity Levels
What Are Sensitivity Levels?
Sensitivity refers to how aggressive or deep a scan should be.
Scanners allow configuration of:
- Safe checks
- Deep inspection
- Exploit testing
- Port scanning depth
Safe vs Aggressive Scans
Safe Scan
- Only checks configurations
- Does not attempt exploitation
- Lower risk of disruption
Aggressive Scan
- May simulate attacks
- May attempt exploit validation
- Higher system impact
For production systems:
Use safe scans unless specifically authorized.
False Positives vs False Negatives
Sensitivity also affects accuracy.
- High sensitivity → More findings (may include false positives)
- Low sensitivity → Fewer findings (may miss vulnerabilities)
Exam Tip:
You must balance:
- Accuracy
- System stability
- Operational impact
5. Segmentation
What Is Segmentation?
Segmentation means dividing the network into separate sections.
Common segments:
- Internal network
- DMZ
- Cloud environment
- Management network
- Restricted network
- Isolated systems
Why Segmentation Matters in Scanning
Different segments:
- Have different security requirements
- Have different risk levels
- Require different scan methods
Important Segmentation Considerations
1. DMZ Scanning
Systems exposed to the internet:
- Must be scanned externally
- Should also be scanned internally
External scans simulate attacker perspective.
2. Isolated Networks
Some networks:
- Do not allow internet access
- Are highly restricted
Scanning may require:
- Local scanning appliances
- Internal scanning tools
3. Firewall and ACL Restrictions
Scanning across segments:
- May be blocked by firewalls
- Requires proper authorization
For the exam:
Understand that segmentation affects scan coverage and method.
4. Cloud and Hybrid Environments
Cloud systems:
- May require API-based scanning
- May require agent-based scanning
Do not assume traditional network scanning works everywhere.
6. Regulatory Requirements
Many organizations must follow laws and standards.
Regulations often require:
- Regular vulnerability scanning
- Documented scan reports
- Remediation tracking
Common Regulatory Requirements (Know Conceptually)
You should understand that frameworks such as:
- Payment Card Industry Security Standards Council (PCI DSS)
- National Institute of Standards and Technology (NIST)
- International Organization for Standardization (ISO 27001 framework”]
Require:
- Scheduled scanning
- External and internal scans
- Documentation
- Evidence of remediation
Key Compliance Considerations
1. Scan Frequency
Some regulations require:
- Quarterly scans
- After significant changes
2. External Scanning Requirements
For example:
- Public-facing systems must be scanned externally.
- Sometimes must use approved scanning vendors.
3. Documentation
Must maintain:
- Scan reports
- Remediation evidence
- Risk acceptance documentation
4. Audit Readiness
Security teams must:
- Prove scans were completed
- Show remediation timelines
- Demonstrate vulnerability management process
For CySA+, remember:
Scanning is not just technical — it is also compliance-driven.
Summary Table (Exam Quick Review)
| Consideration | Why It Matters |
|---|---|
| Scheduling | Prevents business disruption |
| Operations | Ensures coordination and change control |
| Performance | Avoids system overload and network congestion |
| Sensitivity Levels | Balances detection accuracy and system safety |
| Segmentation | Ensures full coverage across network zones |
| Regulatory Requirements | Meets legal and compliance obligations |
Key Exam Points to Remember
- Scanning can disrupt systems if not properly planned.
- Always consider business impact.
- Credentialed scans provide deeper results.
- Segmented networks require different scan approaches.
- High sensitivity increases false positives.
- Regulatory frameworks may require documented, scheduled scans.
- Scans must be repeated after major changes.
- Always balance security with operational stability.
