Vulnerability classification: Network misconfiguration - insecure protocols, open ports and services, errors, weak encryption, host misconfigurations, open permissions, unsecured root accounts Application flaws - buffer overflows, memory leaks, resource exhaustion, integer overflows, null pointer, object dereference, DLL injection Race conditions, time to check/time to use, improper input handling, improper error handling, code signing weakness Poor patch management - unpatched servers, unpatched firmware, unpatched applications Design flaws Third pary risks - vendor management, system integration, lack of vendor support Supply-chain risks Outsourced code development - data storage, cloud based vs on-prem risks Default installations/Default configurations Operating system flaws Default passwords Zero day vulnerabilities Legacy platform vulns System sprawl/undocumented assets Improper certificate and key management
Vulnerability scoring systems and Databases Common vulnerability scoring system (CVSS)
| Severity | Base score range |
|---|---|
| None | 0.0 |
| Low | 0.1-3.9 |
| Medium | 4.0-6.9 |
| High | 7.0-8.9 |
| Critical | 9.0-10.0 |
Common vulnerabilities and exposures (CVE) one identifier per vulnerability standardized description dictionary rather than database
National vulnerability database (NVD) (U.S. Goverment) Performs analysis on CVEs
Common weakness enumeration (CWE) category system for software vulnerabilities and weaknesses
Vulnerability management lifecycle Pre-assessment phase- identify assets and create baseline Vulnerability assessment phase - vulnerability scan, vulnerability analysis Post assessment phase - risk assessment, remediation, verification, monitoring
Vulnerability research resources: Microsoft security response center (MSRC) Packet storm Vulnerability scanning and analysis Active scanning: attacker interacts directly Passive scanning: identifies from exposed system information etc Tools: Nessus OpenVAS Qualys GFI LanGuard Types of vuln scanning External scanning: firewalls, routers and servers Internal scanning: open ports, router and fw configs, Host based scanning: particular network or server, assess systems to identify vulnerabilities Network based scanning: determines network security attacks, discover resources and map ports. Application scanning: transactional web applications, client-server applications Database scanning - mysql, mssql, oracle Wireless network scanning - determines vulnerabilities in organizations wireless networks Distributed scanning: synchronization across multiple locations Credentialed/authenticated scanning: scanner logs into target system non-credentialed/unauthenticated scanning: without creds Manual scanning: inspecting source code, manual config check, pen-tests Automated scanning: Nessus, qualys, GFI LanGuard Cloud based scanning: security of cloud infrastructure Mobile application scanning: mob apps and api’s Physical security vulnerability scanning: physiscal assets IoT device vulnerability scanning: self explanatory
Vulnerability assessment tools: Product based solutions - installed on network Service based solutions - offered by third parties such as auditing or security consulting firms Working of vuln scanning solutions: Locating nodes Service and OS discovery Testing for known vulnerabilities
Types of vuln assessment tools: host-based vulnerability assessment tools - for servers with various applications Depth assessment tools - uses set of vulnerability signatures to test resistance to known vulns application layer vuln assessment tools - trough internet or external router, firewall, webservewr Scope assessment tools - assessment of security by testing vulns in applications and operating system Active and passive tools - vuln check on network functions that consume resources on the network. passive scanners dont affect system resources and performance that much Loaction and data examination tools- network based scanner - remotely scan machines on network Agent based scanner - agents are installed on target machines Proxy scanner - can scan networks from any machine on network Cluster scanner - simultaneously perform two or more scans on different machines in the network
Choosing a vuln assesement tool: cabeble of scanning wide range of different vulnerrabilities database frequently updated etc.
Criteria of choosing vulnerability assessment tool: types of vulns being assesed tested capability of scanning efficient and accurate test run scheduling etc. Tools: GFI LanGuard OpenVas Nikto - for web based apps Nessus Qualys vulnerability management and a lot more AI powered tools: Equixly SmartScanner CodeDefender Corgea Fluxguard DryRun security Pentest copilot Beagle security Hackules Coderbuds
Vulnerability assessment report: Executive summary Assessment overview Findings Risk Assessment Recommendations