Cyber SecurityNews

New scanning capability to identify UK vulnerabilities

Luke Simmonds 1218 Views 0 Comments 2 min read

As part of the NCSC’s mission to make the UK the safest place to live and do business online, they are building a data-driven view of “the vulnerability of the UK”. This directly supports the UK Government Cyber Security Strategy relating to Understanding UK Cyber risk (Objective 1) . This will help them to:

  • better understand the vulnerability and security of the UK
  • help system owners understand their security posture on a day-to-day basis
  • respond to shocks (like a widely exploited zero-day vulnerability)

These activities cover any internet-accessible system that is hosted within the UK and vulnerabilities that are common or particularly important due to their high impact. The NCSC uses the data they have collected to create an overview of the UK’s exposure to vulnerabilities following their disclosure, and track their remediation over time.

To identify whether a vulnerability exists on a system, they first need to identify the existence of specific associated protocols or services. They do this by interacting with the system in much the same way a web browser or other network client typically would and then analysing the response that is received.

For example, they may be able to determine the existence of a vulnerability known to exist in version X of a type of commonly used web server software by making a web request to the URL “…/login.html” and detecting the value “version X” in the content of the page that is returned. If the vulnerability is then remediated in a subsequent version Y, they can identify this by similarly detecting the value “version Y” in the response.

By repeating these requests on a regular basis they maintain an up-to-date picture of vulnerabilities across the whole of the UK.

All activity is performed on a schedule using standard and freely available network tools running within a dedicated cloud-hosted environment. All connections are made using one of two IP addresses:

  • 18.171.7.246
  • 35.177.10.231

Note that these IP addresses are also both assigned to scanner.scanning.service.ncsc.gov.uk with both forward and reverse DNS records. Scan probes will also attempt to identify themselves as having originated from NCSC where possible, for example by including the following header within all HTTP requests:

X-NCSC-Scan: NCSC Scanning agent - https://www.ncsc.gov.uk/scanning-information

Luke Simmonds

Blogger at www.systemtek.co.uk

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.