Vulnerability assessment plays a major role in providing security to any organization’s resources and infrastructure from various internal and external threats. We scan networks for known security weaknesses but attackers perform vulnerability analysis to identify security loopholes to further exploit that target network.
To do properly secure your network and code, an administrator needs to perform patch management, check configurations, solve known issues in third-party applications, and also check the code to avoid security flaws. All these activities together constitute a vulnerability assessment. We will learn more about it later on.
You will need to know that usually, the vulnerability analysis refers to proper management configurations, patches and also keeping the systems up to date, but here I’ll be also following the Application security approach, showing some tips to secure your DevOps pipeline (SecDevOps) and perform the proper SAST and DAST analysis.
In this article, you will learn the key concepts, the life-cycle of vulnerability management, and how to implement it. All this information is based on the content for both CEH and Security+ Certification.
1- Key Vulnerability concepts
There are generally two main causes for vulnerable systems in a network, software or hardware misconfiguration and poor programming practices. Attackers exploit these vulnerabilities to perform various types of attacks on organizational resources. In this section, we will learn about the Vulnerability assessment, research, and scoring system.
1.1 Vulnerability Research
Vulnerability research is the process of analyzing everything in our organization, from protocols, services, and configurations to discovering vulnerabilities and design flaws that will expose an operating system and its applications to exploit attack or misuse.
The reason why the vulnerabilities experts require to perform vulnerability research goes from gathering information about security trends, newly discovered threats, attack surfaces, attack vectors, and techniques to keep the security measures up to date (Thread Intelligence)
It is important that the employee in charge of the security (usually a security software engineer with ethical hacker expertise) needs to keep up with the most recently discovered vulnerabilities and exploits to stay one step ahead of attackers through vulnerability research, which includes:
- Discovering the system design faults and weaknesses that might allow attackers to compromise a system
- Staying updated about new products and technologies and reading news related to current exploits
And not only about the software that is being used, but also for those that are building new software and having the role of an application security engineer and be able to prioritize and locate the vulnerabilities based on the Severity Level (Low, Medium, High) and exploit range (local or remote).
You might be wondering which resources can we use to perform the proper vulnerability research, here are some of them:
- Exploit Database: Here you can learn how to exploit different vulnerabilities and if there are automated scripts to perform the attack
- Dark Reading: This is a place to keep up to date about the latest threats and attacks!
- Security Magazine: A security world magazine, same as Dark Reading.
- MITRE: The latest about TTP (Tactics, techniques, and procedures) used by the threat actors!
1.2 Vulnerability Assessment
Vulnerability assessment is an in-depth examination of our current position including the current security procedures and controls, to withstand the exploitation. It helps us to understand our current position and define the desired state, by prioritizing and fixing those vulnerabilities. It recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channels.
Typically, this vulnerability assessment is performed using automated tools, these tools are called vulnerability-scanning tools and they search network segments for IP-enabled devices and enumerate systems, operating systems, and applications to identify vulnerabilities.
This is useful since there are thousands of machines to measure in production systems and they help us to identify the weaknesses that could be exploited and also help us identify the following information:
- The OS version running on computers or devices
- IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening
- Applications installed on computers
- Common WebServer vulnerabilities (Path Traversal, SlowLoris, etc)
- Accounts with weak passwords
- Missing patches
- Risky ports and weak network configurations
1.2.1 Scanning types
- Passive Scanning: This means to find the information available on the internet, in which we are not interacting with the target host, for example using OSINT (Open Source Intelligence), the ExploitDB, or finding public information about the target which can be an organization (If we are performing a pen-testing).
- Active Scanning: This scan refers to the one in which we interact with the target, for example, the servers and the applications running on those servers. Here is very likely to generate alerts to the monitoring systems such as IDS (Intrusion detection system), IPS (Intrusion Prevention System), and a WAF (Web Application Firewall).
It is important to know that active scanning can generate alerts, why? Let’s assume that we are performing an analysis of our recently created binaries for our application, this process is automated and runs right after a new build is created, so we perform automated vulnerability analysis and an alert is generated due to an SQLi weakness in a form field. This alert goes to the SOC (Security Operation Center) and an analysis start. Do you see where the issue is? We do not want to create false positives of an application that is being built, so we must be able to identify from which time frame and which servers we are performing such analysis to avoid those vulnerabilities that are expected in the early stages of development to affect the SOC.
1.2.2 Types of vulnerability alerts
When performing vulnerability scans and network monitoring (IDS) we must understand some key differences between the different types of alerts, since this will help to identify and properly discard/confirm a vulnerability.
- True Positive (Attack — Alert): The system raises an alarm when a legitimate attack occurs
- False Positive (No Attack — Alert): The system raises an alarm when no attack has taken place (Most common)
- False Negative (Attack — No Alert): The system does not raise an alarm when a legitimate attack has taken place (Worst!) We were attacked and no alarm was raised.
- True Negative (No Attack — No Alert): The system does not raise an alarm when an attack has not taken place
1.2.3 Limitations of Vulnerability Assessment
Until now everything was too cool, but there are several limitations of the vulnerability assessment, some of those are:
- Human judgment is needed to analyze the data after scanning and identifying the false positives and false negatives
- Vulnerability-scanning software itself is not immune to software engineering flaws that might lead to it missing serious vulnerabilities, extra actions are needed to avoid this.
- Vulnerability-scanning software is limited in its ability to detect vulnerabilities at a given point in time security controls
1.2.4 Vulnerability Assessment Techniques
When deciding which tool to be used, we need to identify if we are going to use a network-based scan, host-based scan with an agent or agent-oriented solution, and also if we want a passive or active scan in our network… Our choice will depend on our needs, and if we are going to perform Application Security in our DevOps systems we should identify which type of analysis we want to perform as well.
Here are some types of vulnerability scanners:
- Active: Uses a network scanner to find hosts, services, and vulnerabilities (interacts with our target servers)
- Passive: Here we sniff the network traffic to discover present active systems, applications, and payloads, usually we create custom scripts to track specific encoded values.
- External: Assess the network from a Hackers perspective (Red Team) to discover vulnerabilities from the outside.
- Internal: Scans the internal infrastructure to discover exploits and vulnerabilities
- Host-based: Conducts a configuration-level check to identify system configurations, file systems, etc in the host.
- Network-based: Determines possible network security attacks.
- Application: Test and analyzes all elements of the web infrastructure for any misconfiguration, outdated content, or known vulnerabilities.
- Credentialed / Non-Credentialed: Assess the network accessing (login) the systems or not, like from the attacker’s perspective.
- Manual: Checking the CVE, the CVSS.
- Automated: Running tools such as Nessus, Qualys, or GFI languard, Nikto
1.3 Common Vulnerability Scoring Systems (CVSS) & Common Vulnerabilities and Exposures (CVE)
The CVE is a free-to-use list of standardized identifiers for common software vulnerabilities, and the CVSS is the quantitative model that ranks the vulnerabilities from 0 to 10, the higher the score, the more critical it is.
We can have a vulnerability such as CVE-2021-44228 (Log4Shell) that shares the details of the vulnerability and the CVSS of 10 out of 10 which is the most critical rank for a vulnerability.
2- Vulnerability Management Life Cycle
The vulnerability management life cycle is an important process that helps identify and remediate security weaknesses before they can be exploited. The implementation of this lifecycle helps gain a strategic perspective regarding possible cybersecurity threats and be more resilient to attacks.
2.1 Pre-Assessment Phase
Before starting ANY vulnerability management we need to understand some key steps to be 100% of the success of the management life cycle. The pre-assessment phase is a preparatory phase that involves defining policies and standards, scopes, and designing proper security measures.
Some of the key steps to success are:
- Identintify and understanding the current business process
- Understand the applications, data, and services that support the business process and perform code reviews
- Identify controls already in place
- Understand the network architecture
- Define the scope of the assessment
2.2 Vulnerability Assessment Phase
Refers to identifying vulnerabilities in the organization’s infrastructure, including the operating system, web applications, and web server. It helps identify the category and criticality of the vulnerability in an organization and minimizes the level of risk
- Identify Assets and create a baseline: This phase identifies critical assets and prioritizes them to define the risk based on the criticality and value of each system in order to develop and maintain a system baseline.
- Vulnerability Scan: This phase is very crucial in vulnerability management. In this step, the security analyst performs the vulnerability scan on the network to identify the known vulnerabilities in the organization’s infrastructure.
- Risk Assessment: Here are the serious uncertainties that are associated with the system that are assessed and prioritized. Summarizes the risk level identified for each of the selected assets. It determines whether the risk level for a particular asset is high, moderate, or low.
- Remedation: Planned based on the determined risk level. Here is where we apply the fixes on vulnerable systems in order to reduce the impact.
- Verification: The security team performs a re-scan of systems to assess if the required remediation is complete and whether the individual fixes have been applied to the impacted assets.
- Monitor: Regular monitoring to maintain system security
3- Types of Vulnerabilities
Any vulnerability that is present in a system can cause severe damage to the organization. It is important for security engineers to have knowledge about various types of vulnerabilities that they can employ, along with various vulnerability assessment techniques.
Some of the most common vulnerabilities that can be found in a system and network are:
- Misconfiguration: Mostly caused by human error, and allow hackers to gain unauthorized access. Some examples are debugging mode enabled by default, unnecessary services on the machine, incorrect permissions, default accounts, etc.
- Default Installations: When the system is used for the first time when the primary concern is usability rather than security. The risk is not in the content but the machine might be connected to the corporate network.
- Buffer Overflows: Due to coding errors, the attackers try to take control of the system by writing content beyond the allocated size of the buffer.
- Unpatched Servers: Servers not running the latest security patches.
- Design Flaws: Poor encryption and poor validation.
- Application Flaws: Vulnerabilities in applications that are exploited by the attackers (OWASP top 10) are an example of those.
- Open Services: Open ports, vulnerable services exposed in those ports.
- Default Passwords: Default credentials to critical systems, easy to get in using a dictionary attack.
4- Vulnerability assessment tools and criteria for choosing them
Selecting an appropriate assessment plays a major role in mitigating the threats that an organization faces. As you were able to see through this article, there are different types but, which tool do we need to choose based on our needs? Here we will take a look at the different types and how to choose them.
Some of the good characteristics that you need to find are that:
- Supports multiple networks
- Automatically scans against continuously updated databases
- Ensures correct outcomes by testing the network (low false-positive rate)
- Suggests appropriate remedies and workarounds correct vulnerabilities
- Matches your environment and expertise
- Generate reports
- Contains several hundred different attack signatures
- Types of vulnerabilities being assesed
- Test run scheduling
4.1 Comparing solutions
Product vs Service-based solutions: The product refers to a regular application that is installed in the internal network, and the service is like a SaaS approach that is hosted inside the network.
Tree vs Inference based Assessment: Tree-based means that the auditor choose how to perform the assessment, and the inference does all this automatically
4.2 How do the vulnerability tools works?
Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps:
- Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques. It is like checking all the different places in which it can scan.
- Performing service and OS discovery on them: Enumerate the open ports and services along with the operating system on the target systems. Like performing a manual map…
- Check for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities.
5- Vulnerability Reports
Last but not least, the reports, here is the really important part after all the hard work, since it will help us to show management our security posture and what we need to keep growing. Here the security team will try to disclose any identified vulnerabilities, document any variations and findings, and include all these in the final report along with remediation steps to mitigate the identified risks. In this link you can find an awesome example of how the report should be built.
There are different key sections that cannot be skipped, such as the scan information, target information, results, services, etc… Everything that was found and how it was classified and mitigated.
That’s it for now, I hope you like this content, the vulnerability assessment should be done in every place and not just in the software/network, remember that humans are the weakest link in the chain, and we should be able to identify vulnerabilities there too. When implementing SecDevOps all the tools seen are good to test our systems and also required when we are following to implement a proper Application Security phase, in which we run scanners to check our code and find vulnerabilities, without forgetting the limitations.