ipl-logo

3-Assessing Vulnerabilities

.docx
School
King Abdul Aziz University**We aren't endorsed by this school
Course
CS 410
Subject
Information Systems
Date
Dec 21, 2024
Pages
16
Uploaded by DukeRook4784
Big Picture: VAPTVulnerability Assessment and Penetration Testing (VAPT)The systematic testing of systems to identify and address security vulnerabilitiesOften defined together, it is actually composed of two separate, but related practices:Vulnerability Assessment- searches systems for known vulnerabilitiesPenetration Test- attempts to actively exploit weaknesses in an environmentVA vs PTVulnerability Assessment vs Penetration TestingVulnerability AssessmentPenetration TestOften automatedRequires manual, hands-on expertise/knowledgeNetwork or Application-wideTargeted attack against person(s), application, networkBusiness-wideSpecific to a function, department, or assetChecks against CVEs and vulnerability databasesUsed to discover and exploit new vulnerabilitiesFrequent, on-going, on any number of assetsLess frequent; Takes days/weeks to perform, typically annuallyMonitor and identify weaknessesSimulate an AttackBoth Vulnerability Assessments and Penetration Tests can serve similar outcomes:Included in Vulnerability Management programConducted in response to major network or application changesPerformed for compliance purposesPart of remediation verification after an incident
Background image
Developing Your IntuitionConsider Your ObjectivesAre you looking for knownvulnerabilities?Are you researching potential/unknownvulnerabilities?Are you reactiveor proactive?Your role as a security analyst.Examine your MethodsTechnology-Based ScanningAutomated, technology-based scanning/monitoring - Provides a baseline- Online resources available - Comfortable - Controllable - ImmediateData Analysis TechniquesOther methods - Data Transformation- manipulation of data to detect useful information - Behavior Analysis- the detection of suspicious network or user behaviorMachine Learning- a set of algorithms that analyze data to find patternsHeuristics- decompiling an application to understand its processes or running applications in an isolated environmentDon't Reinvent the WheelVulnerability Management is a well-known, widely publicized information security conceptResearch standards/frameworksSee what others are doingFollow best practices
Background image
Vulnerability Assessment StagesPreliminary ActivitiesSetup- At this stage, analysts will meet with stakeholders to determine the scopeof the assessment which includes:Determining the Rules of EngagementDeliverablesScheduling (Start/Stop, Peak periods, Intervals etc)Tool selectionAnd other logistical considerations such as point-of-contacts and emergency escalation procedures.Vulnerability Assessment StagesVulnerability Identification- This stage involves compiling a comprehensive list of vulnerabilitiesVulnerability scan- the use of automated tools to detect vulnerabilitiesAnalysts will also leverage vulnerability databases, vendor advisories/bulletins, and inventory management resourcesAnalysis- This stage involves determining the source and cause of vulnerabilities based on the results from the identification stage.At this stage, we may start to determine potential mitigation or remediation strategies and suggestionsRisk Assessment- This stage involves the prioritization of vulnerabilities by assigning a rank or score for each.Other considerations influencing the risk may include:The likelihood of consequences
Background image
Acceptable tolerances for potential lossThe classification or importance of the affected systemsThe sensitivity of the potentially affected dataBusiness risksSeverity of a potential attackRemediation- This stage is typically a collaboration with operations and administrative teams to determine the most effective remediation or mitigation strategy which may include:Additional security controls, new procedures, or toolsUpdates and/or Configuration changesThe development or implementation of a patchRemember:The Vulnerability Assessment is a formal procedure within a Vulnerability Management Program. Although assessment practices vary between organizations, most assessment efforts will follow these primary stages.Before the EngagementWhat happens before you start?Below are some considerations to discuss with stakeholders prior to executing the assessment:Scope- defines whatwill be assessed; often includes discussions about:Inventory of Environment/Topology, including baseline configurationsValuation of identified resourcesEstimation of Time- includes a discrete start and end of the assessment periodPoliciesRegulatory ComplianceBusiness ProcessesExisting ControlsTool Selection
Background image
Assessment Set-upNow that we have defined the scope of our vulnerability assessment, we will look at execution.Rules of EngagementRules of Engagement- defines howthe assessment is to be executed; everything between the start and endCommunication Plan (e.g. Messaging, Status Updates, Alerts)Meeting/Follow-up CadenceEmergency contactsReport DeliverablesSchedulingHow to Handle EvidenceApprovals/PermissionsVulnerability Assessment AdministrationVulnerability Assessment MethodsNetwork-based UtilitiesNetwork-based- a tool that typically lives within the infrastructure and assesses the network forvulnerabilities - Locates systems and visualizes the network - May help identify suspicious packets - Often includes port/protocol scannerswhich scans ports, protocols, and network services
Background image
Host-based UtilitiesHost-based- looks for vulnerabilities at the system-level - Detects insecure file permissions, OS vulnerabilities, service configurations - Typically requires administrative access - Can be agent-less, agent-server, or standalone.Wireless Scanning UtilitiesWireless- used to assess network hardware and software vulnerabilities by examining wireless signals; often used to address capacity concerns like DoS attacks, session hijacking, wireless encryption, and password/credential attacksApplication Scanning UtilitiesApplication- used to assess vulnerabilities in software with a multitude of methods::Static Application Security Testing (SAST)- scans source codeand analyzes and verifies flaws in programming; often used prior to releaseDynamic Application Security Testing (DAST)- analyzes a currently running application for runtime vulnerabilitiesInteractive Application Security Testing (IAST)- a modern, hybrid approach that monitors source code while the application is running, typically handled with an agentFuzz Testing- a code injectiontesting mechanism that inserts arbitrary payloads into the applicationDependency Scanner- a vulnerability assessment of software dependencies such as runtime libraries
Background image
Web Application Scanning UtilitiesWeb Application- (website scanner) a type of application vulnerability assessment that looks forknown vulnerabilities in web applicationsOften simulates attacks by examining individual web pagesMay detect SSL certificate issuesSome point out vulnerabilities in the webserver platformOther scanning utilitiesMobile- assessments that target mobile devices and appsDatabase- assesses security controls on database servers - Typically targets vulnerabilities such as excessive privileges, weak credentials, and service misconfigurationsSocial- assessments intended to gauge security flaws that originate from usersMay include friendly fakeor stagedsocial engineering campaignsEnvironmental- assessments that examine the physical nature of the systemmay include power/data links, fire suppression, physical security, and resilience to natural disastersBasic vs Many; Complex vs FewChoose scanbased on target.a basic scanon many hostsvs an intense scanon few hosts
Background image
External vs Internal ScanningExternal vs Internal Assessment/scanExternal Assessment- target publicly available assetsInternal Assessment- target assets internal to the organization, inaccessible from the InternetAuthenticated vs Unauthenticated ScanningAuthenticated vs Unauthenticated Assessment/scanAuthenticated- allows the scanner to directly access resources using provided credentialsUnauthenticated- scanning of resources without any credentials; typically from the perspective of an attackerVulnerability Assessment ToolsWhen referring to vulnerability assessment tools, we often refer to an automated scanning mechanism.Most scanners aid in the vulnerability identificationstage of the assessment process.More sophisticated scanning tools/utilities will address the analysisand risk assessmentstages by pulling-in CVSS ratingsCommon Vulnerability Scoring System (CVSS)- an industry standard for measuring the severity of vulnerabilities
Background image
Licensing and usage restrictions typically fall into categories:Free or Open Source Software (FOSS)- generally refers to software released under licenses that allow for the free redistribution by anyoneFree- proprietary software that does not require payment to useOpen Source- software that is distributed under a public development model with distributable source codeCommercial- refers to proprietary software released under licenses that require payment to useShareware/Freeware- commercial software that is released as a limited trialThere are countlessvulnerability assessment utilities, tools, and scanners.Richard's ToolkitHere is a list of commonly used vulnerability assessment tools in my personal toolkit:TitleTypeLicenseNotesLinksBurpSuite CEWeb Application ScannerFreeAn all-in-one suite of tools to check for web application vulnerabilities, cross-platform; Although the product is a commercialtitle, they offer a freeCommunity Editionthat has a good range of capabilities.LinkKismetNetwork ScannerFreeCan be used as a network detector, or packet sniffer for 802.11 abgn wireless LANs; runs on Linux, but a clone exists for MacOSX (KisMac)LinkNessusApplication ScannerCommercialPublished by Tenable, Inc. They offer a limited free license for personal use.LinknmapNetwork ScannerOpen SourceGreat for host and service discovery, including operating systems.LinkOpen VulnerabilityAssessment Scanner (OpenVAS)Multi-ToolOpen SourceIncludes a library of over 50,000 Network Vulnerability Tests (NVTs); Provides a web-console where scans can be scheduled or automated.LinkQualys CEMulti-ToolFreeA cloud-based scanner with multiple capabilities; Normally a commercialtitle, they offer a free Community Edition. Because it is hosted in the cloud, it's great for perimeterscanning from the perspective of an outsider.Link
Background image
TitleTypeLicenseNotesLinksWiresharkNetwork ScannerFreeProbably the most widely-used network analyzer utility; cross-platform, used to capture and analyze almost any kind of network packets.LinkWPScanWeb Application ScannerCommercialThis is a security scanner specifically for WordPress websites, comes with a WP plugin and connects to well-maintained WordPress vulnerability database.LinkZed Attack Proxy (ZAP)Web Application ScannerOpen-SourceThe world's most widely used web application vulnerability scanner, supported by the Open Web Application Security Project (OWASP)LinkOther Tools:Kali Linux- a Debian-based Linux distribution solely for the purposes of penetration testing, ethical hacking, and network security assessmentsNotable Vulnerability Assessment ToolsTitleTypeLicenseNotesLinksAcunetixWeb Application ScannerCommercialScans against thousands of known vulnerabilities, claims a low false-positive rateLinkAircrack-NGNetwork ScannerFreeA wireless detector, packet sniffer, and WEP/WPA analysis tool.LinkArachniWeb Application ScannerFreeA cross-platform scanner with a wide array of scriptable utilities.LinkBeEFApplication ScannerOpen-SourceA scanning program that targets web-browser vulnerabilities and exploitsLinkGoLismeroMulti-ToolOpen-SourceA robust, cross-platform scanning utility that can target web applications as well as database and network vulnerabilitiesLinkIntruderMulti-ToolCommercial Cloud-based scannerLinkMetasploit FrameworkMulti-ToolOpen-SourceDeveloped by Rapid7; a comprehensive framework composed of multiple scanning tools primarily used Link
Background image
TitleTypeLicenseNotesLinksfor penetration testing.Microsoft Baseline SecurityAnalyzer (MBSA)Host Scanner FreeA utility for scanning Windows computers for vulnerabilities, including missing updates or patches. Note: This is intended for use onLegacy Windows Products, e.g. Windows XP, Windows 7, Windows Server 2000, 2003, 2008, etcLinkMicrosoft Security Compliance ToolkitHost Scanner FreeA utility for analyzing and testing Windows security baseline configurations.LinkNetSparkerWeb Application ScannerCommercial Robust scanning platformLinkNexposeMulti-ToolCommercialA robust vulnerability management tool developed by Rapid7LinkNiktoWeb Application ScannerOpen-SourceA well-known web application scanner that checks against thousands of potentially dangerous files and programs.LinkOpenSCAPMulti-ToolOpen-SourceA complete vulnerability scanning, vulnerability assessment utility that supports web applications ,servers, OS, or network with built-in risk assessment utilities utilizing the NIST SCAP model.LinkTsunami SecurityScannerNetwork ScannerOpen-SourcePublished by Google; a relatively recent vulnerability scanner geared for large-scale enterprise networks.LinkvulsApplication ScannerOpen-SourceAgentless vulnerability scanner for Linux/BSD that usesNVD databases.Linkw3afWeb Application ScannerOpen-SourceAn application attack framework covering a broad range of vulnerabilitiesLinkOpen Web Application Security Project (OWASP)- an online community for all topics related web application security
Background image
OWASP Resources:List of Free for Non-Commercial Use Vulnerability ScannersStatic Application Security Testing (SAST) Tools akaSource Code Analysis ToolsDynamic Application Security Testing (DAST) ToolsSymbols and icons representing Software-as-a-Service & Security-as-a-ServiceSoftware-as-a-Service & Security-as-a-ServiceVulnerability Management ServicesAs a security analyst, you may be asked to manage or utilize any number of Software as a Service/Security as a Service (SaaS) solutions to perform vulnerability management functions for your organization. Each of the following are examples of vulnerability management services that may include a wide array of tools and utilities with varying features to fit your project scope.Outpost24QualysRapid7Tripwireopen toolbox icon to represent a toolkitBuilding Your Own ToolKitThere is no correct way to choose the tools to include in your toolkit. Tools are chosen with the scope of the project in mind and given the resource restraints of your organization.Considerations:TimeMoneyComprehensiveTopology/Design
Background image
Exercise-Solution: Vulnerability Assessment Tools**عورشملا ناشع سكنيللا يف جمانربلا ليمحتVulnerability Assessment Execution **** جمانربلا ليغشتهرم مهم
Background image
Exercise and Solution : Vulnerability Assessment Executionهرم مهم**Assessment Resultsهل عجرت مزلا ادج مهمو ريثك هرم ملاكHow CVSS Scoring WorksNIST-CVSS Scoring Calculatoris a measure of a vulnerability's severity. It does NOT measure risk. The CVSS scoring is typically performed by vulnerability analysts that represent incident response teams and software vendors.The CVSS is written as a vector stringwith the attributes of the vulnerability listed with a score: CVSS:3.0/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/A:N/E:F/RL:XThe CVSS is based on a well-known rubric published by the National Institute of Standards and Technology, and grades the vulnerability with three (3) metric groups: base, temporal, and environmental, each consisting of individual criteria.
Background image
CVSS Scores - Base, Temporal, EnvironmentalBase- the fundamental characteristics of a vulnerabilitythe primary measure of severity documented in the National Vulnerability Database (NVD).Attack Vector- lists how the vulnerability is exploited; values include:physical- the attacker requires physical access to the system e.g. USBlocal- the attacker requires local administrative access to the system, e.g. sudo, windows login sessionadjacent network- the attacker requires access to the local network of the software, e.g. IP subnet, bluetooth, ethernetnetwork- the attacker does not require any specific connectivity; the vulnerability is considered "remotely exploitable"Attack Complexity- measures the complexity of attack required to exploit the vulnerability, taking into consideration the other steps necessary and any special conditions; evaluated as lowor highcomplexityPrivileges Required- indicates the level of privileges an attacker requires to exploit a vulnerability; values include: high, low, none.User Interaction- indicates the requirement of the user (not the attacker) to participate in a compromise:none- the system can be exploited without any user interactionrequired- exploitation requires a user to take some actionScope- measures the ability of an exploit to impact resources beyond it's initial privileges;unchanged- an attacker can only affect resources at the same level; the vulnerable component is equal to the impacted componentchanged- an attacker may affect resources beyond the initial authorization
Background image
Confidentiality, Integrity, and/or Availability Impact- three separate impacts indicated with values: high, low, or none, indicating a complete, partial, or no impact.
Background image