Reason for the existence of Vulnerabilities
- Hardware or software misconfiguration
- Insecure or poor design of network and application
- Inherent technology weakness
- End-user carelessness
- Intentional end-user acts
Examples of vulnerabilities
| TCP/IP protocol vulnerabilities | – HTTP, FTP,ICMP, SNMP inherently insecure |
| Operating Systems vulnerabilities | – inherently insecure – not patched with the latest updates |
| Network Device Vulnerabilities | router, firewall, switch – lack of password protection – authentication – insecure routing protocols |
| User account vulnerabilities | – originating from the insecure transmission of user account details over the network |
| System account vulnerabilities | – setting of weak passwords |
| Internet service misconfigurateion | – misconfiguration of services |
| Default password and settings | – leaving the devices/products with their default passwords and settings |
| network device misconfiguration | – misconfiguring the network device |
Vulnerability Research
Process of analyzing protocols, services, and configurations to discover vulnerabilities and design flaws.
Vulnerabilities are classified based on severity levels (low, medium, high, critical) and exploit range (local or remote)
| 1. To gather information concerning security treads, attack surface, attack vector and techniques |
| 2. To discover weaknesses in the OS and applications, and alert the network administrator before a network attack |
| 3. To gather information to aid in the prevention of security issues |
| 4. To know how to recover from a network attack |
Resources for vulnerability Research
– Microsoft security response center
– Packet storm
– Dark Reading
– Trend Micro
– Security Magazine
– PenTest Magazine
Vulnerability Assessment
An in-depth examination of the ability of a system or application, including current security procedures and controls, to withstand the exploitation
It recognizes, measures and classified security vulnerabilities in a computer system, network and communication channels
Used to
– identify weakness that can be exploited
– Predict the effectiveness of additional security measures in protecting information resources from attacks
Information obtained from the vulnerability scanner includes:
– Network vulnerabilities – Active (directly scanning the network) and passive scanning (indirectly interacting with the targeted network)
– open ports and running services
– Application and services vulnerabilities
– Application and services configuration errors
Vulnerability Scoring Systems and Databases
- Common Vulnerability Scoring System (CVSS)
- Common Vulnerabilities and Exposures (CVE)
- National Vulnerability Database (NVD)
- Common Weakness Enumeration (CWE)
| Severity | Base Score Range |
| None | 0.0 |
| Low | 0.1-3.9 |
| Medium | 4.0-6.9 |
| High | 7.0-8.9 |
| Critical | 9.0-10.0 |
Vulnerability-Management Life Cycle
Pre-Assessment Phase
Identify and understand business process
Identify application, data and services
Identify approved software and basic configurations
Create inventory and prioritize/rank assets
Understand network architecture and map network infrastructure
Identify controls
Policy and standard compliance
Scope
information protection procedures
– Asset Identification: Create a list of assets, including applications, systems, and services.
– Baseline Creation: Establish baseline configurations and policies for assessing deviations.
– Scope Definition: Clearly define the boundaries of the assessment, ensuring all critical areas are covered.
– Network Mapping: Document the architecture and infrastructure to identify weak points.
Assessment Phase
Physical security,
Check misconfiguration,
Run Vulnerability scan,
Select scan compliance requirements,
Prioritize vulnerabilities,
Identified false positives and false negatives,
Apply business and technology context to the scanner results,
Perform OSINT information gathering to validate vulnerabilities,
Create report
– Scanning: Use tools like Nessus or OpenVAS to identify vulnerabilities in networks, applications, and configurations.
– Vulnerability Classification: Distinguish between misconfigurations, legacy vulnerabilities, zero-days, and other weaknesses.
– Result Validation: Check for false positives or negatives by cross-referencing data with real-world conditions.
Post-Assessment Phase
– Risk Assessment: Categorize risks based on their potential impact (e.g., critical, high, medium, low).
– Remediation: Apply fixes such as patches, reconfigurations, or software updates.
– Verification: Rescan the system to confirm vulnerabilities have been addressed.
– Continuous Monitoring: Implement ongoing security checks using tools like SIEM or intrusion detection systems.
Types of Vulnerabilities
– Configuration Vulnerabilities: Weak settings, default configurations, or unused open ports.
– Application Vulnerabilities: Software flaws like buffer overflows, injection vulnerabilities, or race conditions.
– Patch Management Issues: Unpatched systems or outdated software leaving exploitable gaps.
– Third-Party Risks: Dependencies on third-party software or cloud services that could expose sensitive data.
– Zero-Day Vulnerabilities: Newly discovered exploits not yet patched by the vendor.
– Legacy Systems: Older, unsupported systems prone to attacks.
Types of Vulnerability Assessment
| Active assessment | network scanner |
| passive assessment | sniff the network traffic |
| external assessment | Accesses the network from the hackers’ perspective to discover exploit and vulnerbilities |
| internal assessment | scan internal infrastructure |
| host-base assessment | configuration level checks |
| network-base assessment | determines network security attacks |
| application assessment | analyze web infrastructure for misconfiguration, outdated content and known vulnerabilities |
| database assessment | MYSQL, MSSQL… data exposure or injection |
| wireless network assessment | vulnerabilities in the wireless networks |
| distributed assessment | assesses the distributed assets, client, server application, simultaneously through synchronization techniques |
| credential assessment | assesses the network by obtaining the credentials |
| none-credential assessment | assesses the network without acquiring any credentials |
| Manual assessment | ethical hacker manually assesses the vulnerability, ranking and score |
| Automated assessment | ethical hacker used vulnerability assessment tools – nessus, Qualys |
Vulnerability Assessment Tools
- Product-based solutions – installed in the internal network, behind, cannot detect outside attacks
- Service-based solutions – third parties, hosted into the internal network or outside. Attackers can the network from outside
- Tree-based solutions – auditors select different strategies for each machine or component. Relies on the administrator to provide a starting piece of intelligence
- Inference-based solutions – scanning start by building an inventory of the protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.
Types of Vulnerability Assessment Tools
Host-Based – Scan host, OS and application
Depth – discover and identify previously unknown vulnerabilities
Application layer – designed to serve the needs of all kinds of operating system types and applications.
Scope – provide an assessment of the security by testing vulnerabilities in the applications and operating system. These tools provide standard controls and a reporting interface that allows the user to select a suitable scan.
Active/Passive – perform vulnerability checks on the network functions that consume resources on the network./ Only observe system data and perform data processing on a separate analysis machine.
A passive scanner first receives system data that provide complete information on the processes that are running and then assesses that data against a set of rules.
Location/Data Examination tool – network-based scanner, Agent-Based scanner, Proxy scanner, cluster scanner.
Examples:
Qualys Vulnerability Management – cloud based, updated, identification of threats and monitoring of unexpected changes
Nessus Professional – assessment solution, identifying vulnerabilities, configuration issues and malware
GFI LanGuard – scans, detects and rectifies security vulnerabilties
OpenVAS- framework of services, scanning, vulnerability management solution
Nikto – webserver assessment tool.
More names: beSECURE, Network Security Scanner, Nexpose
Vulners scanner – mobile
SecurityMetrics Mobile mobile
Vulnerability Assessment Reports
| Executive Summary – assessment scope and objectives – testing narrative – findings summary – Remediation summary |
| Assessment Overview – Assessment methodology – scan information – target information |
| Findings – scanned hosts – type of vulnerabilities identified – detailed information on identified vulnerabilities – Noted describing additional details of scan results |
| Risk Assessment – Classification of vulnerabilities based on the risk level – Potential vulnerabilities that can compromise the system or application – Critical hosts with severe vulnerabilities |
| Recommendations – Prioritization of remediation based on risk rankings – Action plan to implement the recommendations for each identified vulnerability – Root cause analysis – Application of patches/fixes – Lessons learnt – Awareness training – Implementation of periodic vulnerability assessment – implementation of polices, procedures and controls |
Vulnerability Classification
| Misconfigured/ weak config | – allows attacker break into a network and gain unauthorized access to systems | network misconfigurations – insecure protocols, open ports, weak encryption host misconfigurations – open permissions and unsecured root accounts |
| Application flaws | data tempering and unauthorized access | Buffer overflow, memory leaks, resource exhaustion, integer overflow, null pointer, DLL injection, improper input/output handling, |
| Poor patch management | subjected to exploitation vulnerable to various attacks | unpatched servers, firmware, OS, applications |
| Design flaws | bypass the detection mechanism | incorrect encryption and poor validation of data |
| Third-party risks | external services have access to privileged systems and applications | vendor management, supply chain risks, outsourced code development, data storage, cloud based vs on prem |
| Default installation/ configurations | attacker can guess the settings | |
| OS flaws | Owing to OS vulnerabilities and application such as trojan, worms and viruses | |
| Default password | GG | |
| Zero-Day vulnerabilities | exposed but not yet found | |
| Legacy Platform vulnerabilities | obsolete code/ patching no supported | |
| System sprawl/ undocumented assets | increased number of system or server connection without proper documentation | |
| Improper cert and key management | allow attackers to perform password cracking and data exfiltration attacks – outdated keys |
CY - Technical Memory extension 