Internal vs external vulnerability scanning

Vulnerability scans can be external or internal, depending on which part of your digital assets they’re focused on. External scans target externally-facing IP addresses and their open ports to find vulnerabilities in your perimeter and cloud systems.

Internal scans check inside your firewall to find weaknesses in your internal devices such as outdated or unpatched software. For example, MS Office is a big entry point for attackers and can be vulnerable to phishing attacks, which an external scan wouldn’t find.  

Think of it in terms of your home. External vulnerabilities are the open windows, unlocked doors and CCTV blind spots that burglars can exploit to get into your property. Internal vulnerabilities allow the burglar to move from room to room to find and steal your prized possessions.  

In practice, this means you might want to scan an IP for external vulnerabilities to see what could be exploited by an attacker, but you also need to see what the attacker could access on the machine locally. Let’s look at both in more detail.  

What is an external vulnerability scan?  

External vulnerability scans look for gaps and weaknesses in your internet-facing systems that attackers can exploit to break in and attack your network. Like a penetration test, external vulnerability scanners discover open ports or any assets that are exposed to the internet so you can close any gaps that could be exploited.

Why is external vulnerability scanning important?

• Verifies the security posture of your externally-facing systems
• Discovers known weaknesses in internet-facing systems that could lead to a breach
• Prioritizes the most significant threats and risks
• Identifies new devices or services and any changes that could be exploited
• Discovers and monitors new cloud services, and scans when anything changes

What are examples of external vulnerabilities?  

• Security misconfigurations
• Unsecured APIs
• Cross site scripting
• Open ports
• Injection flaws
• Broken authentication

What is authenticated vs unauthenticated scanning?

External vulnerability scans can be authenticated or unauthenticated – sometimes known as credentialed or uncredentialed. But what’s the difference?

Unauthenticated scanning

• Monitors web applications externally without using user credentials
• Relies on the public-facing interface and information that it can grab from the web server, network, and application
• Searches for vulnerabilities like injection flaws, cross site scripting, broken authentication and misconfigurations

Authenticated scanning

• Uses user credentials to test the security of a web application and its infrastructure
• Scans in front and behind login pages for vulnerabilities that may not be visible from the outside
• Recommended for apps that have high user interaction and customization, sensitive or regulated data, or have strict security standards and compliance requirements

Which is better? The simple answer is both. While automated attacks are likely to hit your external systems at some point, a targeted attack using login credentials can’t be ignored.

If your software or application allows users on the internet to sign up, you could be exposed.

The best way is to combine both so you cover more ground and gain more insight into your strengths and weaknesses.

‍

What is an internal vulnerability scan?

While your external network is the often easiest to access for hackers, your internal systems can also be reached with little extra effort today with the rise in remote and hybrid working.

Internal vulnerability scanning helps you protect these internal systems and dispersed workforce so you can keep your attack surface secure, wherever your devices are. These checks are run from the perspective of an attacker with access to systems behind your external security perimeter.

Why is internal vulnerability scanning important?

• Provides a second layer of defense against attackers
• Keeps devices secure, wherever they are
• Identifies and prioritizes vulnerabilities
• Keeps software and patching up to date
• Helps meet compliance and security standards

What are examples of internal vulnerabilities?

• Missing third-party and operating system patches
• Weak, default or duplicated passwords
• Vulnerabilities in intranet applications
• Local software with known vulnerabilities

How are internal and external vulnerability scans different?

How often should scans be performed?

Internal and external scans can be ‘one-and-done' but are often performed at least quarterly, especially for compliance to show your security posture to customers or auditors.

While running one-time scans give you a point-in-time snapshot of your vulnerability status, they’re not so good for ongoing visibility or robust attack surface management. With a new CVE created every 20 minutes, you run the risk of having an outdated view of your security at any given time.

Continuous vulnerability scanning provides 24/7 monitoring of your IT environment, and automation to reduce the burden on your IT team. This means issues can be found and fixed faster, closing the door on hackers and potential breaches. You can read more about how often you should scan in our comprehensive guide.  

How to scan with Intruder

Intruder is an automated vulnerability management tool designed to check your internal and external infrastructure for over 140,000 known weaknesses. It saves you time by proactively running scans, monitoring network changes and synchronizing cloud systems.  

With new threats discovered every day, Intruder’s proactive threat response features have you covered. Emerging threat scans notify you as soon as new vulnerabilities are discovered. Rapid response automatically checks your systems for the latest issues being exploited in the wild before automated scanners can.

Intruder generates a report outlining the issues and offering actionable remediation advice – so you can find and fix your vulnerabilities before hackers reach them. Start your 14 day free trial today.