What is Vulnerability Assessment ; Analysis | Tools and Practise

Module Objectives

In today's world, organizations depend heavily on information technology. It is necessary for them to protect their vital information. This information addresses areas of finance, research and development, personnel, legality, and security. Vulnerability assessments scan networks for known security weaknesses.

Attackers perform vulnerability analysis to identify security loopholes in the target organization's network, communication infrastructure, and end systems. The identified vulnerabilities are used by the attackers to perform further exploitation on that target network.

On the other hand, vulnerability assessment plays a major role in providing security to any organization's resources and infrastructure from various internal and external threats. To secure a network, an administrator needs to perform patch management, install proper antivirus software, check configurations, solve known issues in third party applications, and troubleshoot hardware with default configurations. All these activities together constitute vulnerability assessment.

This module starts with an introduction to vulnerability assessment concepts. This module also discusses the vulnerability management life cycle and various approaches and tools used to perform the vulnerability assessment. This module will focus your awareness on tools and techniques used by the attackers to perform vulnerability analysis. The module ends with an overview of vulnerability assessment report, which helps an ethical hacker in taking necessary steps to fix the identified vulnerabilities.

At the end of this module, you will be able to:

■    Understand vulnerability research and vulnerability classification

■    Describe vulnerability assessment

■ Describe about vulnerability management life cycle (vulnerability assessment phases)

■    Understand different approaches of vulnerability assessment solutions

■    Describe different characteristics of good vulnerability assessment solutions

■    Explain different types of vulnerability assessment tools

■    Choose an appropriate vulnerability assessment tools

■    Understand vulnerability scoring systems

■    Use various vulnerability assessment tools

■    Generate vulnerability assessment reports

Vulnerability Assessment Concepts

In a network there are generally two main causes for systems being vulnerable, software or hardware misconfiguration and poor programming practices. Attackers exploit these vulnerabilities to perform various types of attacks on organizational resources. This section gives an overview on vulnerability assessment, classification, types of vulnerability assessments and vulnerability assessment phases.

Vulnerability Research

Vulnerability research is the process of discovering vulnerabilities and design flaws that will open an operating system and its applications to attack or misuse.

An administrator needs vulnerability research:

■   To gather information about security trends, threats, and attacks

■   To find weaknesses, and alert the network administrator before a network attack 

■   To get information that helps prevent the security problems

■   To know how to recover from a network attack

An ethical hacker needs to keep up with the most recently discovered vulnerabilities and exploits in order to stay one-step ahead of attackers through vulnerability research, which includes:

■    Discovering system design faults and weaknesses that might allow attackers to compromise a system

■    Being informed about new products and technologies in order to find news related to current exploits

■    Checking underground hacking web sites for new vulnerabilities and exploits 

■    Checking newly released alerts regarding relevant innovations and product

improvements for security systems

Security experts and vulnerability scanners classify vulnerabilities by: 

■    Severity level (low, medium, or high)

■    Exploit range (local or remote)

Vulnerability Classification

Vulnerabilities present in a system or network are classified into the following categories:

■ Misconfiguration

Misconfiguration is the most common vulnerability that is mainly caused by human error, which allows attackers to gain unauthorized access to the system. This may happen intentionally or unintentionally affecting web servers, application platform, database and network.

A system can be misconfigured in so many ways: o An application running with debug enabled o Outdated software running on the system

o Running unnecessary services on a machine

o  Using  misconfigured  SSL  certificates  and  default  certificates o Improperly authenticated external systems

o Disabling security settings and features

Attackers can easily detect these misconfigurations using scanning tools and then exploit the backend systems. It is important for the administrators to change default configuration of devices and optimize the security of the devices.

■ Default Installations

Default installations are usually kept user friendly especially when the device is being used for the first time, as the primary concern is usability of the device rather than the device's  security. In some cases, infected devices may not contain any valuable information but they are connected to networks or systems that have confidential information that would result in a data breach. Not changing the default settings while deploying the software or hardware allows the attacker to guess the settings in order to break into the systems.

■    Buffer Overflows

Buffer overflows are common software vulnerabilities that happen due to coding errors allowing attackers to get access to the target system. In a buffer overflow attack, attackers undermine the functioning of programs and try to take the control of the system by writing content beyond the allocated size of the buffer. Insufficient bounds checking in the program is the root cause because of which the buffer is not able to handle data beyond its limit, causing the flow of data to adjacent memory locations and overwriting their data values. Systems often crash or become unstable or show erratic program behavior, when buffer overflow occurs.

■    Un patched Servers

Servers are an essential component of the infrastructure of any organization. There are several cases where organizations run unpatched and misconfigured servers compromising the security and integrity of the data in the system. Hackers look out for these vulnerabilities in the servers and exploit them. As these unpatched servers are a hub for the attackers, they serve as an entry point into the network. This can lead to exposure of private data, financial loss, discontinuation of operations, etc. Updating software regularly and maintaining systems properly by patching and fixing bugs can help in mitigating vulnerabilities caused due to unpatched servers.

■    Design Flaws

Vulnerabilities that are caused due to design flaws are universal to all operating devices and systems. Design vulnerabilities such as incorrect encryption or poor validation of data, refer to logical flaws in the functionality of the system that is exploited by the attackers to bypass the detection mechanism and acquire access to a secure system.

■    Operating System Flaws

Due to vulnerabilities in the operating systems, applications such as Trojans, worms, and viruses pose threats. These attacks are performed by using malicious code, script or unwanted software, which result in loss of sensitive information and loss of control on computer operations. Timely patching of OS, installing minimum software applications and use of applications with firewall capabilities are essential steps that an administrator needs take to protect OS from any attack.

■   Application Flaws

Application  flaws  are  vulnerabilities  in  applications  that  are  exploited  by  the  attackers.

Applications   should   be   secured   using   validation   and   authorization   of   the   user.

Applications pose security threats such as data tampering and unauthorized access to configuration stores. If the applications are not secured, sensitive information may be lost or corrupted. Hence, it is important for developers to understand the anatomy of  common  security  vulnerabilities  and  develop  highly  secure  applications  by  providing proper user validation and authorization.

■   Open Services

Open ports and services may lead to loss of data, DoS attacks and allow attackers to perform further attacks on other connected devices. Administrators need to continuously check for unnecessary or insecure ports and services to reduce the risk on the network.

■    Default Passwords

Manufacturers provide default passwords to the users to access the device during initial set-up and users need to change the passwords for future use. However, users forget to update the passwords and continue using the default passwords making devices and systems vulnerable to various attacks such as brute-force, dictionary attack, etc. Attackers exploit this vulnerability to obtain access to the system. Passwords should be kept secret; failing to protect the confidentiality of a password allows the system to be compromised with ease.

What is Vulnerability Assessment?

Vulnerability assessment is an examination of the ability of a system or application, including current security procedures and controls, to withstand assault. Vulnerability assessment scans networks for known security weaknesses. It recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channels. It also assists security professionals in securing the network by determining security loopholes or vulnerabilities in the current security mechanism before the bad guys can exploit them.

A vulnerability assessment may be used to:

■    Identify weaknesses that could be exploited

■    Predict the effectiveness of additional security measures in protecting information resources from attack

Typically, vulnerability-scanning tools search network segments for IP-enabled devices and enumerate systems, operating systems, and applications. Vulnerability-scanning software scans the computer against the Common Vulnerability and Exposures (CVE) index and security bulletins provided by the software vendor.

Vulnerability scanners are capable of identifying the following information:

■   The OS version running on computers or devices

■    IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening

■   Applications installed on computers 

■   Accounts with weak passwords

■    Files and folders with weak permissions

■    Default services and applications that might have to be uninstalled ■    Mistakes in the security configuration of common applications ■    Computers exposed to known or publicly reported vulnerabilities

There are two approaches to network vulnerability scanning:

■      Active   Scanning:   The   attacker   interacts   directly   with   the   target   network   to   find vulnerabilities.

Example: An attacker sends probes and specially crafted requests to the target host in the network in order to identify vulnerabilities.

■ Passive Scanning: The attacker tries to find vulnerabilities without directly interacting with the target network. The attacker identifies vulnerabilities via information exposed by systems in their normal communications.

Example: An attacker guesses operating system information, applications, and application and service versions, by observing the TCP connection setup and teardown.

Attackers scan for vulnerabilities using tools such as Nessus, GFI LanGuard, and OpenVAS. Vulnerability scanning enables an attacker to identify network vulnerabilities, open ports and running services, application and services configuration errors, and application and services vulnerabilities.

Limitations of Vulnerability Assessment

The following are some of the limitations of vulnerability assessments:

■    Vulnerability-scanning software is limited in its ability to detect vulnerabilities at a given point in time.

■      Vulnerability-scanning   software   must   be   updated   when   new   vulnerabilities   are discovered or improvements are made to the software being used.

■    Software is only as effective as the maintenance performed on it by the software vendor and by the administrator who uses it.

■    It does not measure the strength of security controls.

■     Vulnerability-scanning  software  itself  is  not  immune  to  software  engineering  flaws  that might lead to missing serious vulnerabilities.

The methodology used might have an impact on the result of the test. For example, vulnerability­ scanning software that runs under the security context of the domain administrator will yield different results than if it were run under the security context of an authenticated user or a non­ authenticated user. Similarly, diverse vulnerability-scanning software packages assess security differently and have unique features. This can influence the result of the assessment.

Types of Vulnerability Assessment

Given below are the different types of vulnerability assessments:

■   Active Assessment

Active assessments are a type of vulnerability assessment that uses network scanners to scan the network to identify the hosts, services, and vulnerabilities present in that network. Active network scanners have the capability to reduce the intrusiveness of the checks they perform.

■    Passive Assessment

Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the users who are currently using the network.

■    External Assessment

External assessment assesses the network from a hacker's point of view to find out what exploits and vulnerabilities are accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks external to the organization. It determines how secure the external network and firewall are.

The following are some of the possible steps in performing an external assessment:

o  Determine  the  set  of  rules  for  firewall  and  router  configurations  for  the  external network.

o Check whether external server devices and network devices are mapped.

o Identify open ports and related services on the external network. o Examine patch levels on the server and external network devices.

o  Review  detection  systems  such  as  IDS,  firewalls,  and  application-layer  protection systems.

o Get information on DNS zones.

o  Scan  the  external  network  through  a  variety  of  proprietary  tools  available  on  the Internet.

o  Examine  Web  applications  such  as  e-commerce  and  shopping  cart  software  for vulnerabilities.

■ Internal Assessment

An internal assessment involves scrutinizing the internal network to find exploits and vulnerabilities. The following are some of the possible steps in performing an internal assessment:

o Specify the open ports and related services on network devices, servers, and systems. o Check for router configurations and firewall rule sets.

o List the internal vulnerabilities of the operating system and server. o Scan for Trojans that may be present in the internal environment.

o  Check  the  patch  levels  on  the  organization's  internal  network  devices,  servers,  and systems.

o Check for the existence of malware, spyware, and virus activity and document them, o Evaluate the physical security.

o Identify and review the remote management process and events.

o Assess the file-sharing mechanisms (for example, NFS and SMB/CIFS shares), o Examine the antivirus implementation and events.

■    Host-based Assessment

Host-based assessments are a type of security check that involves carrying out a configuration-level check through the command line. These assessments check the security of a particular network or server. Host-based scanners assess systems to identify vulnerabilities such as incorrect registry and file permissions, as well as software configuration errors. Host-based assessment can use many commercial and open-source scanning tools.

■    Network Assessments

Network assessments determine the possible network security attacks that may occur on an organization's system. These assessments evaluate the organization's system for vulnerabilities such as missing patches, unnecessary services, weak authentication, and  weak encryption. Network assessment professionals use firewall and network scanners such as Nessus. These scanners find open ports, recognize the services running on those ports, and find vulnerabilities associated with these services. These assessments help organizations determine how vulnerable systems are to Internet and intranet attacks, and how an attacker can gain access to important information. A typical network assessment conducts the following tests on a network:

o Checks the network topologies for inappropriate firewall configuration o Examines the router filtering rules

o Identifies inappropriately configured database servers

o Tests individual services and protocols such as HTTP, SNMP, and FTP o Reviews HTML source code for unnecessary information

o Performs bounds checking on variables 

■   Application Assessments

An application assessment focuses on transactional Web applications, traditional client­ server applications, and hybrid systems. It analyzes all elements of an application infrastructure, including deployment and communication within the client and server. This type of assessment tests the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities. Security professionals use both commercial and open-source tools to perform such assessments.

■   Wireless Network Assessments

Wireless network assessment determines the vulnerabilities in an organization's wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use the weak and outdated security mechanisms, and are open for attack. Wireless network assessments try to attack wireless authentication mechanisms and get unauthorized access. This type of assessment tests wireless networks and identifies rogue wireless networks that may exist within an organization's perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access once they get access to the wireless network.

Vulnerability Management Life Cycle

Vulnerability management life cycle is an important process that helps in finding and remediating security weaknesses before they are exploited. This includes defining the risk posture and policies for an organization, creating a complete asset list of systems, scanning and assessing the environment for vulnerabilities and exposures, and taking action to mitigate the vulnerabilities that are found. The implementation of a vulnerability management lifecycle makes the insecure computing environments more resilient to attacks.

Vulnerability management should be implemented in every organization as it evaluates and controls the risks and vulnerabilities in the system. The management process continuously examines the IT environments for vulnerabilities and risks associated with the system.

Organizations should maintain a proper vulnerability management program for ensuring the overall information security. The vulnerability management provides best results if it is implemented in a sequence of well-organized phases.

The phases involved in vulnerability management are:

■   Creating Baseline

In this phase, critical assets are identified and prioritized to create a good baseline for the vulnerability management.

■   Vulnerability Assessment

This is a very crucial phase in vulnerability management. In this step, the security analyst identifies the known vulnerabilities in the organization infrastructure.

■    Risk Assessment

In  this  phase,  all  the  serious  uncertainties  that  are  associated  with  the  system  are

assessed,  fixed,  and  permanently  eliminated  for  ensuring  a  flaw  free  system.  Risk

assessment summarizes the vulnerability and risk level identified for each of the selected

asset. It determines the risk level for a particular asset, whether it is high, moderate or low.

■    Remediation

Remediation  is  the  process  of  reducing  the  severity  of  vulnerabilities.  This  phase  is initiated after the successful implementation of the baseline and assessment steps.

■   Verification

This phase provides a clear visibility into the firm and allows the security team to check whether all the previous phases are perfectly employed or not. Verification can be performed by using various means such as ticking systems, scanners, reports, etc.

■    Monitor

Regular monitoring needs to be performed for maintaining the system security using tools such as IDS/IPS, firewalls, etc. Continuous monitoring identifies potential threats and any new vulnerabilities that have evolved.

Pre-Assessment Phase: Creating a Baseline

Pre-assessment phase refers to the preparatory phase, which includes defining policies and standards, defining the scope of assessment, designing appropriate information protection procedure, and identifying and prioritizing the critical assets to create a good baseline for the vulnerability management.

Steps involved in creating a baseline:

1.   Identify and understand business processes

2.   Identify the applications, data, and services that support the business processes

3.   Create an inventory of all assets, and prioritize/rank the critical assets

4.   Map the network infrastructure

5.   Identify the controls already in place

6.   Understand policy implementation and standards compliance to the business processes

7.   Define the scope of the assessment

8.   Create information protection procedures to support effective planning, scheduling, coordination, and logistics

Classify the identified assets, according to the business needs. Classification helps in identifying the high business risks in an organization. Prioritize the rated assets based on the impact of their failure and on the reliability of those assets in the business. Prioritization helps:

■    Evaluating and deciding a solution for the consequence of the assets failing 

■    Examining the risk tolerance level

■    Organizing the methods for prioritizing the assets

Vulnerability Assessment Phase

Vulnerability assessment phase refers to identifying vulnerabilities in the organization infrastructure including the operating system, web applications, web server, etc. It helps identify the category and criticality of the vulnerability in an organization and minimizes the levels of risk. The ultimate goal of vulnerability scanning includes scanning, examining, evaluating and reporting the vulnerabilities in the organization information system.

The assessment phase involves examining the architecture of the network, evaluating the threats to the environment, performing penetration testing, examining and evaluating physical security, analyzing physical assets, assessing operational security, observing policies and procedures, and assessing the infrastructure's interdependencies.

Steps involved in assessment phase:

1.   Examine and evaluate physical security

2.   Check for misconfigurations and human errors

3.   Run vulnerability scans using tools

4.   Identify and prioritize vulnerabilities

5.   Apply business and technology context to scanner results

6.   Perform OSINT information gathering to validate the vulnerabilities

7.   Create a vulnerability scan report

Post Assessment Phase

Post assessment phase is also known as the recommendation phase, which is performed after the risk assessment. Post-assessment is based on the risk assessment. Risk characterization is categorized by the key criteria, which helps to prioritize the list of recommendations.

The tasks performed in post assessment phase include:

■    Making a priority list for assessment recommendations

■ Developing an action plan to implement the proposed recommendation 

■ Capturing lessons learned to improve the complete process in the future 

■ Conducting training for the employees

Post assessment includes risk assessment, remediation, verification, and monitoring.

■    Risk Assessment

In the risk assessment phase, risks are identified, characterized, and classified along with the techniques used to control or reduce the impact of the risks. It is an important step to identify the security weaknesses in the IT architecture of an organization.

The tasks performed in the risk assessment phase include: o Perform risk characterization

o Assess the level of impact

o Determine the threat and risk level

■ Remediation

Remediation refers to the steps that are taken to mitigate the found vulnerabilities such as evaluating vulnerabilities, locating risks, and designing responses for the vulnerabilities, etc. It is important for remediation process to be specific, measurable, attainable, relevant and time-bound.

The tasks performed in the remediation phase include: o Prioritize recommendations

o Develop an action plan to implement the recommendation o Perform root-cause analysis

o Apply patches/fixes

o Capture lessons learned o Conduct awareness training

■   Verification

The verification phase helps the security analysts to verify whether all the previous phases are perfectly employed or not. This phase includes the verification of remedies that were taken for the mitigation of risks.

The tasks performed in the verification phase include: o Perform dynamic analysis

o Attack surface review 

■    Monitoring

In this phase, incident monitoring is performed using tools such as IDS/IPS, SIEM, firewalls, etc. This phase implements continuous security monitoring to thwart ever evolving threats.

The tasks performed in the monitoring phase include:

o Monitoring intrusion detection and intrusion prevention logs o Implementation of policies, procedures, and controls

Vulnerability Assessment Solutions

Vulnerability assessment solution is an important tool for information security management as it identifies all the security weaknesses before an attacker can exploit them. There are different approaches and solutions available to perform vulnerability assessment. Selecting an appropriate assessment approach plays a major role to mitigate the threats an organization is facing.

This section outlines various approaches and solutions used to perform vulnerability assessment.

Comparing Approaches to Vulnerability Assessment

There  are  four  types  of  vulnerability  assessment  solutions:  product-based  solutions,  service­ based solutions, tree-based assessment, and inference-based assessment.

■ Product-Based Solutions

Product-based solutions are installed in the organization's internal network. They are installed in a private or non-routable space, or the Internet-addressable portion of an  organization's  network.  If  they  are  installed  in  the  private  network  or,  in  other  words, behind the firewall, they cannot always detect outside attacks.

■ Service-Based Solutions

Service-based solutions are offered by third parties, such as auditing or security consulting firms. Some solutions are hosted inside the network; others are hosted outside the network. A drawback of this solution is that attackers can audit the network from outside.

■   Tree-Based Assessment

In a tree-based assessment, the auditor selects different strategies for each machine or component of the information system. For example, the administrator selects a scanner for servers running Windows, databases, and web services but uses another scanner for Linux servers. This approach relies on the administrator to provide a starting shot of intelligence, and then to start scanning continuously without incorporating any information found at the time of scanning.

■    Inference-Based Assessment

In an inference-based assessment, scanning starts by building an inventory of protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services such as an email server, web server, or database server. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.

Working of Vulnerability Scanning Solutions

Any organization needs to handle and process large volumes of data in order to carry out business. These large volumes of data contain the information of that particular organization for which access is denied to the unauthorized users. Attackers try to find certain vulnerabilities that they can exploit and use those to gain access to the critical data for illegal purposes. Vulnerability analysis performs a study on the risk-prone areas of the organizational network. This analysis is done using various tools. The vulnerability analysis reports on the vulnerabilities present in the network. Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps:

■    Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques.

■    Performing service discovery on them: After detecting live hosts in the target network, the next step is to enumerate open ports and services on the target systems.

■   Testing those services for known vulnerabilities: Finally, after identifying open services, these services are tested for known vulnerabilities.

Types of Vulnerability Assessment Tools

There are six types of vulnerability assessment tools: host-based vulnerability assessment tools, application-layer vulnerability assessment tools, depth assessment tools, scope assessment tools, active/passive tools, and location/data-examined tools

.

■    Host-Based Vulnerability Assessment Tools

The host-based scanning tools are apt for servers that run various applications such as the web, critical files, databases, directories, and remote accesses. These host-based scanners are able to detect high levels of vulnerabilities and provide the required information of the fixes (patches). A host-based vulnerability assessment tool finds and identifies the OS running on a particular host computer and tests it for known deficiencies. It also searches for common applications and services.

■    Depth Assessment Tools

Depth assessment tools are used to find and identify previously unknown vulnerabilities in a system. Generally, these tools are used to identify vulnerabilities to an unstable degree of depth. Such types of tools include fuzzers that give arbitrary input to a system's interface. Many of these tools use a set of vulnerability signatures for testing that the product is resistant to a known vulnerability or not.

■   Application-Layer Vulnerability Assessment Tools

Application-layer vulnerability assessment tools are designed to serve the needs of all kinds of operating system types and applications. Various resources pose a variety of security threats and are identified by the tools designed for that purpose. Observing system vulnerabilities through the Internet using an external router, firewall, and web server, is called external vulnerability assessment. These vulnerabilities could be external    DoS/DDoS threats, network data interception, etc. The assessment for vulnerabilities is performed and the resources that are vulnerable are noted. The network vulnerability information is updated regularly into the tools. Application-layer vulnerability assessment tools are directed towards web servers or databases.

■   Scope Assessment Tools

Scope assessment tools provides assessment of the security by testing vulnerabilities in the applications and operating system. These tools provide a standard control and a reporting interface that allows the user to select a suitable scan. These tools generate a standard report of the information found. Some assessment tools are designed to test a specific application or its type for vulnerability.

■   Active/Passive Tools

Active scanners perform vulnerability checks on the network that consume resources on the network. The main advantage of the active scanner is that the system administrator or IT manager has good control of the timing and the degree of vulnerability scans. This scanner cannot be used for critical operating systems because it uses system resources that affect the processing of other tasks.

Passive scanners are those that do not affect system resources considerably, as they only observe system data and perform data processing on a separate analysis machine. A passive scanner first receives system data that provides complete information on processes that are running and then assesses that data against the set of rules.

■    Location/Data Examined Tools

Listed below are some of the location/data examined tools:

o Network-Based Scanner: Network-based scanners are those that interact only with the real machine where they reside and give the report to the same machine after scanning.

o Agent-Based Scanner: Agent-based scanners reside on a single machine but have the ability to scan a number of machines on the same network.

o Proxy Scanner: Proxy scanners are the network-based scanners that have the ability to scan networks from any machine in the network.

o Cluster scanner: Cluster scanners are similar to proxy scanners but have the ability to perform two or more scans on different machines simultaneously in the network.

Characteristics of a Good Vulnerability Assessment Solution

Organizations need to select a proper and suitable vulnerability assessment solution to detect, assess, and protect their critical IT assets from various internal and external threats.

The characteristics of a good vulnerability assessment solution are as follows:

■    Ensures correct outcomes by testing the network, network resources, ports, protocols, and operating systems

■    Uses well-organized inference-based approach for testing 

■   Automatic scan against constantly updated databases

■    Creates brief, actionable, customizable reports, including reports of vulnerabilities by severity level and trend analysis

■   Supports various networks

■   Suggests proper remedies and workarounds to correct vulnerabilities

 ■    Imitates the outside view of attackers for an objective

Choosing a Vulnerability Assessment Tool

Vendor-designed vulnerability assessment tools can be used to test a host or application for vulnerabilities. There are several vulnerability assessment tools available that include port scanners, vulnerability scanners, and OS vulnerability assessment scanners. Organizations have to choose the right tools based on their test requirements.

Choose the tools that best satisfy the following requirements:

■    Tools must be capable of testing dozens to 30,000 different vulnerabilities, depending on the product

■    The selected tool should have a sound database of vulnerabilities and attack signatures that are updated frequently

■    Pick a tool that matches your environment and expertise

■ Verify that the vulnerability assessment tool you chose has accurate network mapping, application mapping, and penetration tests. Not all the tools can find the protocols running and analyze the network's performance.

■     Ensure  that  the  tool  has  a  number  of  regularly  updated  vulnerability  scripts  for  the platforms you are scanning

■    Make sure the patches are applied, failing which might lead to false positives

■    Find out how many reports you get, what information they contain, and whether you can export the reports

■ Check whether the tool has different levels of penetration to stop lockups 

■ Maintenance cost of the tools can be utilized by effectively using the tools

Criteria for Choosing a Vulnerability Assessment Tool

The criteria to be followed at the time of choosing or purchasing any vulnerability assessment tool are as follows:

■    Types of vulnerabilities being assessed: The most important information at the time of evaluating any tool is to find out how many types of vulnerabilities it will discover.

■    Testing capability of scanning: The vulnerability assessment tool must have the capacity to execute the entire selected test and must scan all the systems selected for scanning.

■ Ability to provide accurate reports: Ability to prepare an accurate report is essential. Vulnerability reports should be short, clear, and should provide an easy method to mitigate the discovered vulnerability.

■ Efficient and accurate scanning: There are two aspects of performance. The first one is how much time it takes for a single host and what resources they require. The second one is the loss of services at the time of scanning. It is important to ensure how accurate they are and what accurate results they give.

■    Capability to perform smart search: How clever they are at the time of scanning is also a key factor in judging any vulnerability assessment tool.

■ Functionality for writing own tests: When a signature is not present for a recently found vulnerability, it is helpful if the vulnerability scanning tool allows user-developed tests to be used.

■    Test run scheduling: It is important to be able to do test run scheduling as it allows users to perform scanning when traffic on the network is light.

Best Practices for Selecting Vulnerability Assessment Tools

Some of the best practices that can be adopted for selecting vulnerability assessment tools are as follows:

■    Vulnerability assessment tools are used to secure and protect the organization's system or network. Ensure that they do not damage your network or system while running.

■     Before  using  any  vulnerability  assessment  tools,  it  is  important  to  understand  their function and to decide what information you want to collect before starting

■ Security mechanisms are somewhat different for accessing from within the network and from outside the network; so first decide the source of location for the scan based on what information you want to collect.

■    At the time of scanning, enable the loggings every time you scan on every computer and ensure that all outcomes and methodologies are annotated

■    Users should scan their systems frequently for vulnerabilities and regularly monitor them for vulnerabilities and exploits

Vulnerability Scoring System

Vulnerability scoring systems and vulnerability databases are used by security analysts to rank information system vulnerabilities, and to provide a composite score of the overall severity and risk associated with identified vulnerabilities. Vulnerability databases collect and maintain information about various vulnerabilities present in the information systems.

This section discusses Common Vulnerability Scoring System (CVSS), and vulnerability databases like Common Vulnerabilities and Exposures (CVE), and National Vulnerability Database (NVD).

Common Vulnerability Scoring System 

(CVSS) Source: https://www.first.org, https://nvd.nist.gov

CVSS is a published standard that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one's systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

CVSS provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

CVSS assessment consists of three metrics for measuring vulnerabilities: ■    Base Metrics: It represents the inherent qualities of a vulnerability

■   Temporal Metrics: It represents the features that keep on changing during the lifetime of a vulnerability.

■    Environmental Metrics: It represents the vulnerabilities that are based on a particular environment or implementation.

Each metrics sets a score from 1-10, 10 being the most severe. CVSS score is calculated and generated by a vector string, which represents the numerical score for each group in the form of   a block of a text. CVSS calculator is developed to rank the security vulnerabilities and provide the user with overall severity and risk related to the vulnerability.

Common Vulnerabilities and Exposures (CVE)

Source: https://cve.mitre.org

CVE® is a publicly available and free to use list or dictionary of standardized identifiers for common software vulnerabilities and exposures. Use of CVE Identifiers, or "CVE IDs," which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables data exchange for cyber security automation. CVE IDs also provide a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization's needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.

What CVE is:

■    One identifier for one vulnerability or exposure

■    One standardized description for each vulnerability or exposure

■   A dictionary rather than a database

■    How disparate databases and tools can "speak" the same language

■   The way to interoperability and better security coverage

■   A basis for evaluation among services, tools, and databases

■    Free for public to download and use

■    Industry-endorsed via the CVE Numbering Authorities, CVE Board, and numerous products and services that include CVE

National Vulnerability Database (NVD) 

Source: https://nvd.nist.gov

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security related software flaws, misconfigurations, product names, and impact metrics.

The NVD performs analysis on CVEs that have been published to the CVE Dictionary. NVD staff are tasked with analysis of CVEs by aggregating data points from the description, references supplied and any supplemental data that can be found publicly at the time. This analysis results in association impact metrics (Common Vulnerability Scoring System - CVSS), vulnerability types (Common Weakness Enumeration - CWE), and applicability statements (Common Platform Enumeration - CPE), as well as other pertinent metadata. The NVD does not actively perform vulnerability testing, relying on vendors, third party security researchers and vulnerability coordinators to provide information that is then used to assign these attributes.

Resources for Vulnerability Research

Due to a growing severity of cyber-attacks, vulnerability research has become the need of the hour as it helps to mitigate the chances of attacks. Vulnerability research provides awareness on advanced techniques to identify flaws or loopholes in the software that can be exploited by attackers.

The following are some of the online websites used to perform vulnerability research:

■    Microsoft Vulnerability Research (MSVR) (https://technet.microsoft.com)

■   Security Magazine (https://www.securitymagazine.com)

■   SecurityFocus (https://www.securityfocus.com)

■    Help Net Security (https://www.net-security.org)

■    HackerStorm (http://www.hackerstorm.co.uk)

■   SC Magazine (https://www.scmagazine.com)

■    Computerworld (https://www.computerworld.com)

■   WindowsSecurity (http://www.windowsecurity.com)

■    Exploit Database (https://www.exploit-db.com)

■    CVE Details (https://www.cvedetails.com)

■   Security Tracker (https://securitytracker.com)

■   Vulnerability Lab (https://www.vulnerability-lab.com)

■    D'Crypt (https://www.d-crypt.com)

■   Trend Micro (https://www.trendmicro.com)

■    Rapid7 (https://www.rapid7.com)

• Dark Reading (https://www.darkreading.com)

Qualys Vulnerability Management Source: 

https://www.qualys.com

Qualys VM is a cloud-based service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.

Features:

■   Agent-based detection

It also works with the Qualys Cloud Agents, extending its network coverage to assets that cannot be scanned.

■    Constant monitoring and alerts

When  VM  is  paired  with  Continuous  Monitoring  (CM),  InfoSec  teams  are  proactively alerted about potential threats so problems can be tackled before turning into breaches.

■    Comprehensive coverage and visibility

It continuously scans and identifies vulnerabilities, protecting your IT assets on premises, in the cloud and mobile endpoints. Its executive dashboard displays an overview of your security posture and access to remediation details. VM generates custom, role-based reports for multiple stakeholders, including automatic security documentation for compliance auditors.

■   VM for the perimeter-less world

As enterprises adopt cloud computing, mobility, and other disruptive technologies for digital transformation, Qualys VM offers next-generation vulnerability management for these hybrid IT environments whose traditional boundaries have been blurred.

■    Discover forgotten devices and organize your host assets

With Qualys, you can quickly determine what is actually running in the different parts of your network—from your perimeter and corporate network to virtualized machines and cloud services. Uncover unexpected access points, web servers and other devices that can leave your network open to attack.

■   Scan for vulnerabilities everywhere, accurately and efficiently

Scan systems anywhere from the same console: your perimeter, your internal network, and cloud environments.

■    Identify and prioritize risks

Using Qualys, you can identify the highest business risks using trend analysis, Zero-Day and Patch impact predictions.

■    Remediate vulnerabilities

Qualys'  ability  to  track  vulnerability  data  across  hosts  and  time  lets  you  use  reports interactively to better understand the security of your network.

Nessus Professional

Source: https://www.tenable.com

Nessus Professional is an assessment solution for identifying vulnerabilities, configuration issues, and malware that attackers use to penetrate networks. It performs vulnerability, configuration, and compliance assessment. It supports various technologies such as operating systems, network devices, hypervisors, databases, tablets/phones, web servers and critical infrastructure.

Nessus is the vulnerability scanning platform for auditors and security analysts. Users can schedule scans across multiple scanners, use wizards to easily and quickly create policies, schedule scans and send results via email.

Features:

■    High-speed asset discovery

■   Vulnerability assessment

■    MaIware/Botnet detection

■    Configuration and compliance auditing

■   Scanning and auditing of virtualized and cloud platforms

GFI LanGuard

Source: https://www.gfi.com

GFI LanGuard scans, detects, assesses and rectifies security vulnerabilities in your network and connected devices. It scans the network and ports to detect, assess, and correct security vulnerabilities, with minimal administrative effort. It scans your operating systems, virtual environments and installed applications through vulnerability check databases. It enables you to  analyze the state of your network security, identify risks and address how to take action before it is compromised.

Features:

■    Patch management for operating systems and third-party applications

■   Vulnerability assessment

■    Web reporting console

■   Track latest vulnerabilities and missing updates

■    Integration with security applications

■    Network device vulnerability checks

■    Network and software auditing

■   Support for virtual environments

Qualys FreeScan

Sou rce: https://freescan. qualys.com

Qualys FreeScan service enables you to safely and accurately scan your network, servers, desktops and web apps for security threats and vulnerabilities. It is a free vulnerability scanner and network security tool for business networks. FreeScan is limited to ten (10) unique security scans of Internet accessible assets. It provides a detailed report that can be used to correct and fix security threats proactively.

Features:

■   Scans computers and apps on the Internet or in the network

■    Detects security vulnerabilities and the patches needed to fix them

 ■    Enables viewing of interactive scan reports by threat or by patch

 ■   Tests websites and apps for OWASP Top Risks and malware 

■   Tests computers against SCAP security benchmarks

Nikto

Source: https://cirt.net

Nikto is an Open Source (GPL) web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.

Features:

■   SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL)

■    Full HTTP proxy support

■    Checks for outdated server components

■   Saves reports in plain text, XML, HTML, NBE or CSV

■   Template engine to easily customize reports

■    Scans multiple ports on a server, or multiple servers via input file

■    LibWhisker's IDS encoding techniques

■    Identifies installed software via headers, favicons and files

■    Host authentication with Basic and NTLM

■    Subdomain guessing

■   Apache and cgiwrap username enumeration

■    Scan tuning to include or exclude entire classes of vulnerability checks

■    Guesses credentials for authorization realms (including many default id/pw combos)

OpenVAS

Source: http://www.openvas.org

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The framework is part of Greenbone Networks' commercial vulnerability management solution from which developments are contributed to the Open Source community since 2009.

The   actual   security   scanner   is   accompanied   with   a   regularly   updated   feed   of   Network Vulnerability Tests (NVTs), over 50,000 in total.

Retina CS

Sou rce: https://www. beyondtrust. com

Retina CSis a vulnerability management software solution designed to provide organizations with context-aware vulnerability assessment and risk analysis. Retina's result-oriented architecture works with users to proactively identify security exposures, analyze business impact, and plan and conduct remediation across disparate and heterogeneous infrastructure. Retina CS Enterprise Vulnerability Management software enables you to:

■    Discover network, web, mobile, cloud, virtual and loT infrastructure

 ■    Profile asset configuration and risk potential

■    Pinpoint vulnerabilities, malware and attacks

■   Analyze threat potential and return on remediation

■    Remediate vulnerabilities via integrated patch management (optional)

 ■    Report on vulnerabilities, compliance, benchmarks, etc.

■    Protect endpoints against client-side attacks

Vulnerability Assessment Tools

Listed below are some of the vulnerability assessment tools:

■    Core Impact Pro (https://www.coresecurity.com)

■    N-Stalker Web Application Security Scanner X Enterprise Edition (https ://www. nstalker. com)

■   Acunetix Web Vulnerability Scanner (https://www.acunetix.com)

■    Nipper Studio (https://www.titania.com)

■    Nexpose (https://www.rapid7.com)

■   Secunia Personal Software Inspector (PSI) (https://secuniaresearch.flexerasoftware.com)

■    Burp Suite (https://www.portswigger.net)

■    Nsauditor Network Security Auditor (http://www.nsauditor.com)

■   ScanLine (https://www.mcafee.com)

■    Nmap (https://nmap.org)

Vulnerability Assessment Tools for Mobile

■ Retina CS for Mobile

Source: https://www.beyondtrust.com

Retina CSfor Mobile is the industry's innovative approach to security, policy, and health management for mobile devices. It provides comprehensive vulnerability management for mobile devices, smart phones, and tablets. It integrates mobile device assessment and vulnerability management for proactively discovering, prioritizing, and fixing smartphone security weaknesses.

Features:

o Reduce risk across BlackBerry, Android, and ActiveSync-managed mobile devices o Access reports locally via the mobile app and alongside enterprise vulnerability data

in the Beyondlnsight console

o Ease compliance via in-depth mobile vulnerability management audit trails o Reveal vulnerability profiles of mobile devices accessing the network

o Streamline remediation through severity-based mobile threat prioritization o Audit mobile device hardware, applications, and configurations

o Rely on automatic vulnerability audit updates from BeyondSaaS

■   SecurityMetrics Mobile

Source: https ://www.s ecu ritymetrics.com

SecurityMetrics Mobile is a mobile defense tool that helps to identify mobile device vulnerabilities to protect the customer's sensitive data. It helps to avoid threats that originate from mobile malware, device theft, Wi-Fi network connectivity, data entry, personal and business use, unwarranted app privileges, data and device storage, account data access, Bluetooth, Infrared (IR), Near-field communication (NFC), and SIM and SD cards.

SecurityMetrics MobileScan complies with PCI SSC (Payment Card Industry Security Standards Council) guidelines to prevent mobile data theft. On completion of a scan, the report generated comprises of a total risk score, summarization of discovered vulnerabilities, and recommendations on how to resolve threats.

Listed below are some of the vulnerability scanning tools for mobile devices:

■    Nessus (https://www.tenable.com)

■    Net Scan (https://www.play.google.com)

■    IP Tools: Network utilities (http://www.apkmonk.com) 

■    Network Scanner (https://www.play.google.com)

Analyzing Vulnerability Scanning Report

A vulnerability assessment report will provide detailed information on the vulnerabilities that are found in the computing environment. The report will help organizations to identify the security posture found in the computing systems (such as web servers, firewalls, routers, email, and file services) and provide solutions to reduce failures in the computing system.

The assessment report helps organizations to take mitigation steps to proactively avoid the risks by identifying, tracking and eliminating the security vulnerabilities.

Vulnerability reports cover the following elements:

■   Scan information: This part of the report provides information such as the name of the scanning tool, its version, and the network ports that have to be scanned.

■   Target information: This part of the report contains information about the target system's name and address.

■    Results: This section provides a complete scanning report. It contains subtopics such as target, services, vulnerability, classification, and assessment.

■   Target: This subtopic includes each host's detailed information. It contains the following information:

o <Node>: Contains the name and address of the host o <OS>: Shows the operating system type

o <Date>: Gives the data of the test

■ Services: The subtopic defines the network services by their names and ports.

■   Classification: This subtopic allows the system administrator to obtain additional information about the scanning such as origin of the scan.

■   Assessment: This class provides information regarding the scanner's assessment of the vulnerability.

Vulnerability assessment reports are classified into two types:

■   Security Vulnerability Report 

■   Security Vulnerability Summary

Security Vulnerability Report

This is a combined report for all the scanned devices and servers in the organization's network. The security vulnerability report includes the following details:

■    Newly found vulnerability

■    Open port and detected services

 ■   Suggestion for remediation

■    Links to patches 

Security Vulnerability Summary

This report is produced for every device or server after scanning. It gives the summary of the scan result that includes the following elements:

■    Current security flaws

■    Categories of vulnerabilities

■    New security vulnerabilities detected 

■   Severity of vulnerabilities

■    Resolved vulnerabilities