Are You Done Yet?

Nope. In this chapter, you saw how scanners can look for vulnerabilities either locally on a node or by remote testing for weaknesses. Recall that the two primary ways a hacker gains access are through the following:

•  A configuration error by the vendor supplying a product or by the administrator running the system (or in some cases via user mistakes)

•  A software bug

Scanners look for these types of weaknesses in your systems by examining configuration data or by attempting to exploit a vulnerability. Relative to other IDSs, the distinguishing feature of vulnerability scanners is that they run occasionally, rather than constantly.

Before you get too excited about scanners, you should remind yourself that they are software products, too. Security vendors are generally more attentive to good programming practices, so hopefully the likelihood of a buffer overflow attack against your scanner is small. However, the vulnerability assessment will detect only the things it is configured to scan. If the administrator does not set up and configure the scanner properly, hackers will continue to operate undetected.

Although scanners are a necessary tool in your environment, they are not sufficient for a complete security solution. The missing feature is real-time detection of attacks as they occur. In the next chapter, you’ll see how system-level IDSs supplement scanners at your sites.