Vulnerability analysis

• Vulnerability research helps identify vulnerabilities which could compromise the system
• Scanning types
  • Active scanning: interacting directly with the target network to discover vulnerabilities
  • Passive scanning: discovering vulnerabilities without a direct interaction with the target network

Vulnerability categories

• Misconfiguration
• Default installations
• Buffer overflows
• Unpatched servers
• Design flaws
• Operating system flaws
• Application flaws
• Open services
• Default passwords

Vulnerability assessment types

• Active assessment: through network scanners
• Passive assessment: by sniffing the traffic
• External assessment: vulnerabilities & threats that are accessible outside of the organization
• Internal assessment: vulnerabilities & threats that are present internally
• Host-Based assessment: vulnerabilities & threats on a specific server by examining the configuration
• Network assessment: identifies potential attacks on the network
• Application assessment: examines the configuration of the web infrastructure
• Wireless network assessment: vulnerabilities & threats in the organization's wireless network

Vulnerability management

• Evaluation and control of the risks and vulnerabilities in the system
• Phases:
  • Pre-assessment phase
    • Creating baseline: Identifying critical assets and prioritizing them
  • Assessment phase
    • Vulnerability assessment: identifying known vulnerabilities
  • Post-assessment phase
    • Risk assessment: assessing the vulnerability and risk levels for the identified assets
    • Remediation: mitigating and reducing the severity of the identified vulnerabilities
    • Verification: ensuring that all phases have been successfully completed
    • Monitoring: identifying new threats and vulnerabilities

Vulnerability assessment solution types

• Product-based solutions: installed in the internal network
• Service-based solutions: offered by third parties
• Tree-based assessment: different strategies are selected for each machine
• Inference-based assessment
  1. Find the protocols to scan
  2. Scan and find the found protocols and their services,
  3. Select the vulnerabilities and begins with executing relevant tests.

Vulnerability scoring systems

• Vulnerabilities that are identified are stored into databases
• Certain scores based on their severity and risk

CVSS - Common Vulnerability Scoring System

• A free and open industry standard for assessing the severity of computer system security vulnerabilities
• Helps to assess and prioritize vulnerability management processes.
• Assigns severity scores to vulnerabilities
• Score calculator depends on metrics that include ease and impact of exploit.

CVE - Common Vulnerabilities and Exposures

• Mitre.org
• List of common identifiers for publicly known cybersecurity vulnerabilities
• E.g. CVE-2020-0023: disclosure of user contacts over bluetooth due to a missing permission check on Android.

NVD - National Vulnerability Database

• U.S. government repository of standards based vulnerability management data
• nvd.nist.gov
• Includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics
  • E.g. CVE

Vulnerability assessment report

• Written after an assessment is performed
• Classified into security vulnerability report and security vulnerability summary.
• Details of what has been done and what has been discovered during the assessment
• Created to help organizations resolve security issues if they exist
• Typically contain information about the scan, target, and results.

Vulnerability assessment tools

• Also known as vulnerability scanners
• Scanning solutions perform vulnerability penetration tests in three steps
  1. locate the live hosts in the network
  2. enumerate open ports and services
  3. test the found services for known vulnerabilities by analyzing responses.
• Tool types
  • Host-based vulnerability assessment tools
  • Depth assessment tools
  • Application-layer vulnerability assessment tools
  • Scope assessment tools
  • Active/Passive tools
  • Location/Data examined tools
• OpenVAS
  • Open-source software framework of several services and tools offering vulnerability scanning and vulnerability management.

Nmap

• Nmap has scripting functionality, written in LUA
• You can scan multiple servers for multiple ports for multiple vulnerabilities.
• -A: Enables OS detection, version detection, script scanning and traceroute.
• Read more about Nmap in Nmap | Scanning Tools
• See Detecting Shellshock using Nmap | Common vulnerabilities

Nessus

• Website
• 📝 Proprietary port and vulnerability scanner
• Scans include • misconfigurations • default passwords (has Hydra built-in) • DoS vulnerabilities
• Can be used to perform compliance auditing, like internal and external PCI DSS audit scans.

Burp Suite

• 📝 Proxy tool to scan web vulnerabilities
• Allows manual testers to intercept all requests and responses between the browser and the target application
• Allows to view, edit or drop individual messages to manipulate the server-side or client-side components of the application.

Nikto

• Nikto is an open source Nikto web server vulnerability scanner.
• Majorly looks for outdated software, dangerous files/CGI etc.
• E.g. nikto -host cloudarchitecture.io
• 🤗 Many of the modern scanners including Nessus, OpenVAS use Nikto to get information for their analysis.

Microsoft Baseline Security Analyzer (MBSA)

• Identifies missing security updates and common security misconfigurations
• Assesses Windows and its sofware e.g.• Internet Explorer • IIS web server • Microsoft SQL Server, • Office macro settings
• It's deprecated