Vulnerability Identification and Validation

  • What to scan?

    • Asset criticality

      • How important is an asset.

      • Not everything is critical.

      • People

      • Tangible assets

      • Intangible assets

    • Asset and Inventory Tracking

      • Use a dedicated tool.

      • Type, model, SN, ID, location, user, value, service

      • Group by: usage, networks, sensitivity, outside connections, financial value, legal requirements, contractual obligations

    • Infrastructure Vulnerability Scanner

      • Not nmap

      • Scans hosts and network devices

      • Looks for vulns in:

        • OS version and patches

        • Services

        • Configuration

        • Network shares

        • User accounts

        • Weak security policies

      • Mapping and Enumeration

        • Inventory of devices, services, versions, plugins, etc

      • Passive Scanning

        • Look for public info.

        • Capture network traffic

        • Don’t get involved!

        • Don’t interact with the target

        • Zero impact on network and services

        • Cannot be detected (mostly)

      • Active Scanning

        • Directly interact with the target

        • Actively send requests and analyze answers

        • Visible and noisy

        • Can create performance issues and downtime

        • Easily detected

      • Credentialed Scan

        • Relies on a user account

        • Scanner logs into the targets

        • Performs checks using that account

        • Insider point of view

        • Highest level of detail provided

      • Non-Credentialed Scan

        • No user account

        • Outsider point of view

        • Best for perimeter scanning

        • Trial and error

        • Not so accurate

        • Higher risk of downtime

      • Server based scanning

        • Connect to the server and scan

        • Credentialed and non-credentialed

      • Agent based

        • Application, plugin, script installed on the server

        • Acts as the backdoor for the scanning software

        • Advantages

          • Credentialed by default

          • Efficient resource usage

          • Works with offline devices

        • Disadvantages

          • Need to install and manage agents

          • Vulnerable backdoor

      • Segmentation: subnets, VLANs, VPNs. Reachability? Consider using a dedicated management network.

      • Frequency of scanning

        • Keep in mind

          • Service degradation

          • Time constraints

          • Licensing limitations

        • So scan at least when

          • Something changes

          • Regulations say so

          • After a security breach

  • Choosing a scanner

    • Free vs paid?

    • General purpose or specialized?

    • Nessus – Paid. Free for a limited number of hosts

    • OpenVAS – Fork of Nesuss

    • Qualys – cloud based service with sensors installed on networks

Last updated