The index of this series of articles can be found here.
Vulnerability analysis is part of the scanning phase been one of the major and more important parts of an attack. Trying to find existing vulnerabilities is going to allow attackers to exploit known problems, bug or defects to obtain their way in the target’s systems. Besides, this is going to be one of the most important tasks for a penetration tester discovering vulnerabilities in the environment.
Vulnerability assessment includes discovering weaknesses in an environment, design flaws and other security concerns that can allow attackers to vulnerate and access the system or do a use of the systems different to the one they were designed for.
There are multiple types of vulnerabilities, misconfigurations, default configurations, buffer overflows, flaws in the operative systems or software and others.
Multiple tools can be found in this space allowing legitimate users, pen-testers and attacker to find these vulnerabilities.
When found, vulnerabilities get classified usually by level of impact, they can be, i.e., very low, low, medium, high, very high. A classification can be done as locally or remotely exploitable.
A vulnerability assessment can be defined as the process of examination, discovery and identification of security measures and weaknesses of systems and applications. Also, helps to recognise the vulnerabilities that can be exploited, the need for additional security layers or measures and to identify possible information revealed using scanners.
Vulnerability Assessment Types
Admins planning their vulnerability scanning strategy have multiple approaches at their disposal. In fact, you may wish to try out a variety of scan types as part of your overall security management, as testing your system from different angles can help you cover all the bases. As outlined below, two key distinctions concern the location (internal vs. external) and scope (comprehensive vs. limited) of the scan.
- Internal vs. External: With an internal network scan, you will want to run threat detection on the local intranet, which will help you understand security holes from the inside. Similarly, admins should test their network as a logged-in user to determine which vulnerabilities would be accessible to trusted users or users who have gained access to the network. On the other hand, there are benefits to performing an external scan, approaching the evaluation from the wider internet, as many threats arise from intentional and/or automatic outside hacks. Likewise, it is important to scan the network as an intruder might, to understand what data could fall into the hands of those without trusted network access.
- Comprehensive vs. Limited: A comprehensive scan accounts for just about every type of device managed on the network, including servers, desktops, virtual machines, laptops, mobile phones, printers, containers, firewalls, and switches. This means scanning operating systems, installed software, open ports, and user account information. Additionally, the scan might identify unauthorized devices. Ideally, with a comprehensive scan, no risks go overlooked.
Vulnerability Assessment Life-Cycle
The vulnerability assessment has a life-cycle that attackers do not need to follow (there are some parts related to remediation*) but, security professionals should follow. There are multiple versions of this vulnerability assessment life-cycle but, all of them are very similar. This document is going to use a 6 phases system but, systems with less or more phases only differentiate from this in the fact that they have decided to group areas less or more than the exposed system.
All the phases will be executed in a loop and in a continuous way to keep systems and resources secure. This is not a just one-time attempt. In the same way that systems evolved and grow, new vulnerabilities can appear allowing attackers to find their way in.
1. Creating a Baseline
In this phase, security professionals create an inventory of all resources an assets that will help to manage and prioritise the assessment. Also, they will try to gather as much knowledge as possible about infrastructure, security controls, policies and standards implemented in the organisation. Gathering this information pursues the objective to create a plan, schedule the tasks and, manage and execute them considering priorities adequately.
In this phase, the system is exhaustively examined, security measures, policies and controls. Default configurations, misconfigurations, faults, vulnerabilities. A close exam of all the elements involved using tools and manual inspection of individual systems. The objective is to have, at the end of the assessment, a report that shows all the detected vulnerabilities and problems, their scopes and their priorities.
In this phase, all the detected vulnerabilities will be reviewed, scoping them and their impact on the corporate network or organisation.
Fix of all the detected vulnerabilities usually following the impact priority assigned to them.
Check that all the remediated vulnerabilities are not there anymore and, even more important, check that with the remediations, no additional vulnerabilities have been introduced.
In this phase, security professionals just keep an eye on the network traffic and system behaviours trying to detect any intrusions.
Vulnerability Assessment Approaches
There are multiple approaches that an organisation can take trying to keep themselves safe. Things like to buy a security product that will be installed on the internal network, or hire a third-party service-based solution. To have different protocols or tests depending on the type of system reviewed or to adapt when discovering new information about the environment making a more dynamic approach to the test experience.
Vulnerability Assessment Best Practices
Some recommendation for effective vulnerability assessments can be:
- Security professionals should have a full understanding of the tools they are going to use. On one hand, to be able to use all the power of the tools and to choose the appropriate tools. On the other hand, to understand the possible consequences or downsides of running the tools in the organisation’s network.
- Security professionals should be disciplined and organised to about jumping from one system to another skipping or forgetting systems.
- Security professionals, when time is limited, should focus on priorities and follow some kind of classification criteria to inspect the system from more critical to less critical.
- Security professionals should run vulnerability scans as often as possible.
Vulnerability Scoring Systems
Common Vulnerability Scoring System
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores. Two common uses of CVSS are calculating the severity of vulnerabilities discovered on one’s systems and as a factor in prioritization of vulnerability remediation activities.
The CVSS v3.0 Ratings are as follow:
|Severity||Base Score Range|
Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures (CVE) is a list of common identifiers for publicly known cybersecurity vulnerabilities. CVE is:
- One identifier for one vulnerability or exposure.
- One standardized description for each vulnerability or exposure.
- A dictionary rather than a database.
- How disparate databases and tools can “speak” the same language.
- The way to interoperability and better security coverage.
- A basis for evaluation among services, tools, and databases.
- Free for public download and use.
- Industry-endorsed via the CVE Numbering Authorities, CVE Board, and numerous products and services that include CVE.
There are a lot of vulnerability scanners, manual or automated, that can help security professional or attackers to find vulnerabilities. Some of them are:
- Nessus: Nessus tool is a branded and patented vulnerability scanner created by Tenable Network Security.
- OpenVAS: This is an open-source tool serving as a central service that provides vulnerability assessment tools for both vulnerability scanning and vulnerability management.
- Nikto: Nikto is a greatly admired and open-source web scanner employed for assessing the probable issues and vulnerabilities.
- Retina CS Community: Retina CS is an open-source and web-based console that has helped the vulnerability management to be both simplified and centralized.
- Wireshark: The Wireshark free vulnerability scanner relies on packet sniffing to understand network traffic, which helps admins design effective countermeasures.
* Attackers can decide, some times, to fix a system previous installation of their own backdoor just to avoid other attackers from compromise it, allowing them not to be disturbed.