Credentialed vs. Non-Credentialed Vulnerability AssessmentMost vulnerability management solutions offer two kinds of vulnerability assessments: credentialed and non-credentialed (also known as authenticated and unauthenticated scans). Non-credentialed scans are very useful tools that provide a quick view of vulnerabilities by only looking at network services exposed by the host. Non-credentialed scans are very useful tools that provide a quick view of vulnerabilities by only looking at network services exposed by the host. Unfortunately, these scans can’t provide deeper insight into application and operating system vulnerabilities not exposed to the network, or those vulnerabilities that are potentially covered up by a firewall that sits between the scanner and the host. This could provide false hope that your system is safe, while in reality, those vulnerabilities are frequently targeted by attackers that have gained credentialed access, so they aren’t an accurate indicator of security risk.
Credential Challenges for a Vulnerability AssessmentOne of the biggest reasons that security teams have a hard time completing credentialed scans is that maintaining an accurate list of credentials can be the equivalent of pulling teeth. In large organizations, it’s not always clear who owns specific assets, and even when the owner is clear, asking the asset owner for their credentials can be tricky business since many asset owners aren’t comfortable sharing this information. It may even be prohibited by company policy. For the sake of discussion, let’s fast forward to after the security team has invested the large chunk of time and resources required to put together a comprehensive list of credentials for targeted scans. Once they have that list, they still have to deal with expired or changed passwords, typos, access limitations and administrative privilege issues.