Vulnerability Management - Paiet/Tech-Journal-for-Everything GitHub Wiki

Vulnerability Management: Scan Configuration

  • Establish scanning frequency

  • How often you scan will depend on a few things

    • Risk appetite
      • Risk adverse company? Higher scan frequency
    • Regulatory requirements
      • Dictated scan frequency
    • Technical constraints
      • Low physical performance could negatively impact scan frequency
    • Workflow
      • Lower scan frequency during peak work hours - Configure tools to perform scans according to specification

  • DEMO: Work your way through an OpenVAS task setup

  • Determine scanning criteria

    • Sensitivity levels
    • Vulnerability feed
    • Scope
      • What systems will be included in the scan?
      • How will you verify that the systems are online to be scanned?
      • What tests will be performed?
    • Credentialed vs. non-credentialed
      • Cred-scan scans over the wall
        • More of an "inside threat"
      • Non-cred will look more like an outside attacker
    • Types of data
    • Server-based vs. agent-based

  • Tool updates/plug-ins

    • Security Content Automation Protocol(SCAP)
      • https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/SCAP-Releases/SCAP-1-2
      • Common Configuration Enumeration (CCE)
      • Common Platform Enumeration (CPE)
        • A structured naming scheme for information technology systems, software, and packages
      • Common Vulnerabilities and Exposures (CVE)
        • provides a reference-method for publicly known information-security vulnerabilities and exposures
        • Format: CVE-Year-ArbitraryNumbers
        • https://cve.mitre.org
      • Common Vulnerability Scoring System (CVSS)
        • A system for defining specific aspects of a vulnerability and assigning a value/score to them
          • The score defines the severity of the vuln's aspects and overall severity
        • https://www.first.org/cvss/calculator/3.0
      • Extensible Configuration Checklist Description Format (XCCDF)
        • Language for creating checklists and reporting checklist results
      • Open Vulnerability and Assessment Language (OVAL)
        • A language for specifying low-level testing procedures used by checklists
    • Permissions and access

Vulnerability Management: CVSS

  • Common Vulnerability Scoring System (CVSS)

  • Version 2

    • https://www.first.org/cvss/v2/guide
    • Specs finalized in 2007
    • Base Metrics
      • Access Vector (AV)
        • Describes how an attacker would exploit a vulnerability
          • Local (L)
            • Physical access is required
              • OR Local account access
                • Pivot from remote access through Priv Esc to local account
            • Score: 0.395
          • Adjacent Network (A)
            • Access to local network that affected system is connected to
              • Broadcast domain
              • Collision domain
                • ARP Spoofing
                • Bluetooth attack
            • Score: 0.646
          • Network (N)
            • Remote access via OSI Layer3 or above
              • Remote buffer overflow of network service
            • Score: 1.000
      • Access Complexity (AC)
        • Describes ease/difficulty of exploiting a vulnerability
          • High (H)
            • "Specialized conditions" (see below) exist that allow for the vulnerability
              • Attacker requires elevated privileges to exploit
              • Suspicious social engineering tactics required to exploit
              • Vuln conditions rarely seen in wild
            • Score: 0.350
          • Medium (M)
            • "Somewhat specialized conditions" required to exploit
              • Attacker limited to systems/users requiring some authorization
              • Additional info required to launch successful attack
              • Vulnerable config is non-default and/or not commonly configured
              • Some social engineering required for successful attack
                • Some users may not detect social engineering deceit
            • Score: 0.610
          • Low (L)
            • NO specialized conditions required to exploit
              • Allows untrusted and/or anonymous access
              • Default configurations
              • Can be manually performed
              • Requires little to no advanced skill sets
            • Score: 0.710
      • Authentication (Au)
        • Amount of authentication "roadblocks" that must be bypassed to launch successful attack
          • Multiple (M)
            • Attacker must authenticate 2 or more times before successful attack
            • Score: 0.450
          • Single (S)
            • Attacker must authenticate once before successful attack
            • Score 0.560
          • None (N)
            • No authentication needed for successful attack
            • Score: 0.704
      • Confidentiality Impact (C)
        • Describes loss of confidentiality of data (data disclosure)
          • None (N)
            • No breach of confidentiality occurs
            • Score: 0.000
          • Partial (P)
            • Access to data is possible, but attacker cannot control what data can be accessed
              • Attacker can access some database tables but not all
              • Attacker takes what they can get scenario
            • Score: 0.275
          • Complete (C)
            • Total data disclosure
              • Attacker has access to all system files
            • Score: 0.660
      • Integrity Impact (I)
        • Measures the attackers ability to modify data of compromised system
          • None (N)
            • No impact to system/data integrity occurs
            • Score: 0.000
          • Partial (P)
            • Modification of data is possible, but attacker cannot control what data can be modified
              • Attacker can modify files in a limited scope or context
              • Attacker modifies what they can get scenario
            • Score: 0.275
          • Complete (C)
            • Total data disclosure
              • Attacker has access to all system files
            • Score: 0.660
      • Availability Impact (A)
        • Measures impact to access of IS resources like Network Bandwidth, Disk space, CPU, Network services, etc.
          • None (N)
            • No disruption of availability
            • Score: 0.000
          • Partial (P)
            • System performance is reduced or resource access is interrupted
              • DDoS that limits legitimate response from network service
            • Score: 0.275
          • Complete (C)
            • Total blackout of IS resource
            • Score: 0.660
    • Calculating the CVSS Base Score
      • Base Score = ((0.6 x Impact) + (0.4 x Exploitability) - 1.5) x Impact Function
        • Impact Score = 10.41 x (1 - (1 - C) x (1 - I) x (1 - A))
        • Exploitability Score = 20 x AV x AC x A
        • Impact Function Score
          • Equals 0 if Impact Score is 0
          • Equals 1.176 if Impact Score is anything other than 0

  • Categorization of CVSS Base Scores

    • Less than 4.0 = Low
    • Greater than or equal to 4.0 BUT Less than 6.0 = Medium
    • Greater than or equal to 6.0 BUT less than 10.0 = High
    • 10.0 = Critical

Vulnerability Management: CVSS Pt.2

  • Authentication (Au)

    • Amount of authentication "roadblocks" that must be bypassed to launch successful attack
      • Multiple (M)
        • Attacker must authenticate 2 or more times before successful attack
        • Score: 0.450
      • Single (S)
        • Attacker must authenticate once before successful attack
        • Score 0.560
      • None (N)
        • No authentication needed for successful attack
        • Score: 0.704

  • Confidentiality Impact (C)

    • Describes loss of confidentiality of data (data disclosure)
      • None (N)
        • No breach of confidentiality occurs
        • Score: 0.000
      • Partial (P)
        • Access to data is possible, but attacker cannot control what data can be accessed
          • Attacker can access some database tables but not all
          • Attacker takes what they can get scenario
        • Score: 0.275
      • Complete (C)
        • Total data disclosure
          • Attacker has access to all system files
        • Score: 0.660

  • Integrity Impact (I)

    • Measures the attackers ability to modify data of compromised system
      • None (N)
        • No impact to system/data integrity occurs
        • Score: 0.000
      • Partial (P)
        • Modification of data is possible, but attacker cannot control what data can be modified
          • Attacker can modify files in a limited scope or context
          • Attacker modifies what they can get scenario
        • Score: 0.275
      • Complete (C)
        • Total data disclosure
          • Attacker has access to all system files
        • Score: 0.660

  • Availability Impact (A)

    • Measures impact to access of IS resources like Network Bandwidth, Disk space, CPU, Network services, etc.
      • None (N)
        • No disruption of availability
        • Score: 0.000
      • Partial (P)
        • System performance is reduced or resource access is interrupted
          • DDoS that limits legitimate response from network service
        • Score: 0.275
      • Complete (C)
        • Total blackout of IS resource
        • Score: 0.660

  • Calculating the CVSS Base Score

  • Base Score = ((0.6 x Impact) + (0.4 x Exploitability) - 1.5) x Impact Function

    • Impact Score = 10.41 x (1 - (1 - C) x (1 - I) x (1 - A))
    • Exploitability Score = 20 x AV x AC x A
    • Impact Function Score
      • Equals 0 if Impact Score is 0
      • Equals 1.176 if Impact Score is anything other than 0

  • Categorization of CVSS Base Scores

  • Less than 4.0 = Low

  • Greater than or equal to 4.0 BUT Less than 6.0 = Medium

  • Greater than or equal to 6.0 BUT less than 10.0 = High

  • 10.0 = Critical

Vulnerability Management: Remediation

  • Execute scanning

  • Generate reports

  • Automated vs. manual distribution - Remediation

  • Prioritizing

    • Criticality
      • CVSS score can help in deducing this
    • Difficulty of implementation
      • Top vuln make take considerable effort to fix
      • Vulns with more moderate fix complexity could be done relatively quickly
      • Which one should you address first?

  • Communication/change control

    • Perform proper change management when implementing remediation
      • Documents the changes
      • Protects the worker in many ways
      • Proves buy-in from management

  • Sandboxing/testing

    • It is a wise idea to test remediation changes BEFORE pushing to prod

  • Inhibitors to remediation

    • Memorandums Of Understanding(MOUs)
      • Agreement by two or more parties
        • Lays out responsibilities of each party involved
      • Used when parties don't want to create a legal binding
        • Or when no legally enforceable agreement can be made
      • Gentleman's agreement
    • SLAs
    • Organizational governance
    • Business process interruption
    • Degrading functionality
      • Network may slow down
      • User/consumer experience may be less than optimal
        • Causing loss of customers/revenue - Ongoing scanning and continuous monitoring

  • Not a "one-and-done" operation

  • Your environment is constantly evolving and changing

  • Revolving scans

    • Doesn't scan everything at set intervals
      • Rotates assets in
        • Scans run whenever scanning resources are available

  • Can be resource and Bandwidth intensive

  • Better early detection

  • Continuous monitoring

    • agent-based
    • Reports back to centralized management