Tips for an Effective Vulnerability Assessment
By Ferdinand Mudjialim, Security Analyst, CISO Global, Inc.
So, you (or your friendly neighborhood MSP) have just finished a vulnerability scan as part of a vulnerability management program and/or in preparation for penetration testing. But one ominous question looms: What next? Sorting through hundreds of thousands of vulnerability logs can be daunting, and determining which ones are worth investigating further is even less of a trivial task. You may not even know where to start in terms of assessing risk because the results are often filled with tech jargon and severity ratings that may not be accurate metrics of real-world risk in the first place. In this article, I cover some tips you can apply in all your future vulnerability assessment endeavors.
Context, Context, Context
As with most things, context is important. Vulnerability assessments are no exception—in fact, context is an essential element for assessments. Sure, a vulnerability scan was done, but what kind of vulnerability scan? What scanner suite was used? Was it an unauthenticated or authenticated vulnerability scan? What was the scope? These are all questions that should have straightforward answers if your goal is to have an effective assessment.
For example, if we’re talking about an external scan, you should put extra emphasis on externally facing websites/web applications, as they can provide just enough holes for hackers to be able to slip through the organization’s front door past the firewall. Vulnerabilities like using deprecated or unsecured protocols like SSL or TLSv1.0/1.1 can allow attackers to intercept messages over the Internet, resulting in sensitive information leakage or web application compromise. Internal scans should instead focus on vulnerabilities that give hackers the ability to pivot freely and gain privileges across systems within your network. Look out for outdated systems with missing critical patches or default/weak credentials.
You should also keep in mind that unauthenticated scans can be somewhat inaccurate, as there is less information to work with. Because the scanner cannot reliably log in to systems to verify vulnerabilities from an insider perspective, there may be a substantial amount of false positives that you need to filter out of the results.
The key here is to note that some vulnerability entries are essentially “out of scope” in terms of assessing risk for an organization. But remember—it all depends on context.
Using External Resources
Now that you have an intuition for determining what vulnerabilities to focus on, the next step is using external resources to get a better idea of the risk associated with the vulnerabilities. Many vulnerabilities come with a convenient identifier such as the CVE (common vulnerabilities and exposures) ID, and you can use this to search online for details and alternative severity scores. Numerous CVE databases exist, and you can access a considerable number of them through a web browser. NVD (National Vulnerability Database), Exploit-DB, or even GitHub can provide a treasure trove of vulnerability information. Additionally, the popular Kali Linux distribution comes with tools like searchsploit that support searching CVE IDs for potential exploit modules.
There are a few reasons why using external resources can be useful in vulnerability assessments. First, if PoC (proof of concept) code or exploits are readily available online for a certain vulnerability, you should generally attribute a higher risk because just about anyone can use them to exploit that vulnerability with little to no knowledge. Second, it is often useful to know the type of a vulnerability because some are more alarming than others. For example, a buffer overflow is nice, to be sure, but an unauthenticated remote code execution is worth much more and takes less effort for hackers. And third, you can automate the searches using several scripting languages and APIs if needed. Don’t limit yourself to the confines of a spreadsheet!
The Bigger Picture
With all this talk about PoC and exploit modules, let’s not forget that some of the most dangerous vulnerabilities can be hiding in plain sight. Vulnerability scans can easily miss misconfigurations, so always remember that scans are not the be-all and end-all to all things vulnerable.
Severity ratings can be misleading in that they don’t always tell the whole story. There is a good reason that robots haven’t taken over the security analyst’s day job. There are often cases in which it’s possible to chain multiple low-severity vulnerabilities together to craft a vulnerability that can pose a serious risk to an organization.
Make sure to always come back to the context and realize the implications of a vulnerability as well. For example, information disclosure may not sound like much, but on a hospital or payment card industry network, that kind of vulnerability can be catastrophic. The point is to not dismiss vulnerabilities too easily but to understand what opportunities they may open for malicious actors.
Conclusion
Vulnerability assessments can be a little tricky, but if you can determine a procedural process/method that works for your organization, it can become algorithmic in a way, and after a while, you’ll soon learn to appreciate the process.
However, it’s also understandable that some organizations may not have the resources and/or time to regularly conduct such assessments. If you’d rather have the pros handle all the processes and conduct supplemental services for a more complete cybersecurity solution, make sure to request a consultation with the leading cybersecurity experts at Cerberus Sentinel.