Vulnrability Assesment

Resources

• Core
  • PCI security standars : https://www.pcisecuritystandards.org/
  • HIPAA : https://www.hhs.gov/programs/hipaa/index.html
  • Federal Information Security : http://cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act
  • International Organization for Standardization (ISO) : https://www.iso.org/standard/27001
  • Penetration Testing Execution Standard (PTES) : http://www.pentest-standard.org/
  • Open Source Security Testing Methodology Manual (OSSTMM) : https://www.isecom.org/OSSTMM.3.pdf
  • National Institute of Standards and Technology (NIST) : https://www.nist.gov/cyberframework/quick-start-guides
  • Open Web Application Security Project (OWASP) : https://owasp.org/
  • CVSS calc : https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • OVAL : https://github.com/OVAL-Community/OVAL || https://medium.com/@Loginsoft/open-vulnerability-assessment-language-oval-in-a-nutshell-861bbeccfb33
  • Common Vulnerabilities and Exposures (CVE) : https://www.cve.org/ || https://cveform.mitre.org/

Notes

Security Audit

Vulnerability assessments are performed because an organization chooses to conduct them, and they can control how and when they’re assessed. Security audits are different. Security audits are typically requirements from outside the organization, and they’re typically mandated by government agencies or industry associations to assure that an organization is compliant with specific security regulations.

Steps to Performing a Network Vulnerability Assessment

1. Risk Identification and Analysis:
   • Compile a complete inventory of all network assets (endpoints, servers, firewalls, etc.).
   • Assign an owner and determine the business value of each asset.
   • Identify potential threats and risks for each asset.
2. Develop Scanning Policies and Procedures:
   • Define the scope of the assessment (internal, external, etc.).
   • Establish clear rules of engagement, including scan timing and aggressiveness.
   • Get formal approval from management to begin the process.
3. Identify Vulnerability Scan Types:
   • Determine the best scanner for each area.
   • Network-based: Scans the network for open ports, services, and vulnerabilities.
   • Host-based: Scans individual systems (servers, workstations) for misconfigurations, patch levels, and local vulnerabilities.
   • Application-based: Scans web applications for flaws like XSS or SQLi.
   • Wireless-based: Scans Wi-Fi networks for weak encryption and unauthorized access points.
4. Configure the Scan:
   • Set up the vulnerability scanning tools.
   • Define the target IP ranges and hosts.
   • Schedule the scan time, duration, and aggressiveness level to minimize business disruption.
5. Perform the Scan:
   • Execute the configured scans against the target environment.
   • Monitor the scan in progress to ensure it is running correctly and not causing network instability.
6. Evaluate and Consider Risks:
   • Analyze the raw scan results and remove any false positives.
   • Prioritize vulnerabilities based on severity (e.g., Critical, High, Medium, Low) and exploitability.
   • Evaluate the potential business impact if a critical vulnerability were to be exploited.
7. Interpret Scan Results:
   • Study the prioritized list of vulnerabilities.
   • Understand the root cause of each critical issue.
   • Correlate findings to identify systemic weaknesses in the network.
8. Create a Remediation and Mitigation Plan:
   • Create a detailed action plan to address the identified vulnerabilities.
   • Assign tasks to the IT staff and budget the necessary time and resources.
   • Implement the plan (e.g., apply patches, close ports, update configurations) and schedule a follow-up scan to verify the fixes.

Risk vs Threat vs Vulnerabilities

• Risk: something bad that could happen
• Threat: something bad that is happening
• Vulnerabilities: weaknesses that could lead to a threat