Vulnerability Assessment
A vulnerability assessment is an evaluation of a system’s security and ability to meet compliance requirements based on the configuration state of the system.
- aka vulnerability testing/scanning
- determines if the current configuration matches the ideal configuration (baseline)
- might involve manual inspection of security controls
- performed internally and externally
- to see vulnerabilities from different viewpoints
- identified vulns are classified and prioritized for remediation
- often accomplished through automated vulnerability scanners
Vulnerability Assessment Steps
- Mapping Environments
- Start by creating map of your environment that shows you what devices are present in your network
- tools create these maps by interrogating every single IP address in the network range
- Performing discovery scans can be stressful to your network infrastructure
- possible to overload network devices
- Discovering New Hosts
- need to keep your lists of hosts up-to-date
- Can discover new hosts actively or passively
- Active discovery
- involves going IP by IP and interrogate each to see whether anything responds
- Passive discovery
- involves placing a device at network choke points, such as routers or switches, to eavesdrop on the traffic flowing through your infrastructure
- can automatically
- discover devices as they talk on the network
- and add them to your lists of hosts to scan
- Active discovery
- Scanning
False Positives, False Negatives, and Log Review
- Vulnerability scan generates a summary report of all discoveries
- color-codes vulnerabilities based on their criticality
- red typically denoting a weakness that requires immediate attention
- Vulnerabilities can be reviewed by
- scope (most critical across all hosts)
- or by host
- include links to
- specific details about each vulnerability
- how issues can be remediated
- color-codes vulnerabilities based on their criticality
- Possible results:
- False positive
- vulnerability scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not
- active scanning reduces false positives
- True positive
- vulnerability scan correctly identifies a vulnerability
- False negative
- vulnerability scan incorrectly identifies that a vulnerability does not exist
- is a case that is not reported when it should be
- are the most concerning issue
- counteracted by
- running repeat scans periodically
- employing scanners from different vendors
- vulnerability scan incorrectly identifies that a vulnerability does not exist
- True negative
- vulnerability scan that correctly indicates that a system or device does not have a vulnerability
- False positive
Technological Challenges for Vulnerability Assessments
The Cloud
Resources in the cloud put a bit of a twist in the tasks, processes, and technologies discussed here.
- cloud providers may have some specific rules in place for what you can and can’t do in their environments
- can change from one cloud provider to the next
- some vendors may not want you to scan devices in their environments at all
- In most infrastructure as a service (IaaS) models, you’ll likely be able to scan within certain boundaries and according to certain rules
- In platform as a service (PaaS) environments, vendors may restrict you to scanning with agents, as the infrastructure itself probably won’t be visible to you
- In software as a service (SaaS) environments, the provider probably won’t want you to scan at all
- devices and IPs may change frequently behind the scenes and no longer belong to you
- this will look like attack traffic to them
Containers
A container is an entirely self-contained and ready-to-run virtualized instance, specifically designed to allow easy scaling up and down of portions of the environment seeing variable levels of load.
- E.g., web server farm may see little load in the middle of the night and scale down to a few containers, then scale back up in the day
- require specialized vulnerability scanning tools