11 14 2024 - rtji0/Arthur-Tech-Journal GitHub Wiki

11-14-2024

Vulnerability Management

Vulnerability Scanning

  • Examination of an organization's security to uncover weaknesses

  • Understanding basics of vulnerability scan, sources of data needed for scanning, decisions that must be made in scans, running and analyzing scans, and addressing reported vulnerabilities

  • Red hat - "offensive security" - pen tester/ethical hacker type

Vulnerability Scan Basics

  • Ongoing automated process used to identify weaknesses and monitor info security progress

  • Specialized types of vulnerability scans, one scans applications - many apps use open-source libraries, which are not centrally owned, meaning that attackers frequently infect open source libraries with malware

  • Package monitoring tools - used to continuously analyze apps for vulnerabilities

  • Scan issues - volume of scan data, IDing vulnerabilities, Technical limitation, remediations

Sources of Threat Intelligence

  • Threat Intelligence - data collected, processed, and analyzed to understand a threat actors motives, targets, and attack behaviors

  • Sometimes threat intel data is owned by an entity and not available to outsiders

  • Some large enterprises hire people to uncover security bugs in their products (bug bounty program)

  • Three levels of web Clear Web, Deep Web, and Dark Web

Screenshot 2024-11-14 103910

Scanning Decisions

  • What should be scanned? Before performing a scan, it is important to know the value of specific data

  • Data is classified in groups that require similar protections ie confidential, private, sensitive, critical, public, and restricted

  • Once data has been classified, its value can be determines, and the type and frequency of scans can be decided

Screenshot 2024-11-14 104249

  • Active Scanning - sends test traffic transmissions into the network and monitors the responses of the endpoints

  • Passive Scanning - does not send any transmissions but instead only listens for normal traffic to lean needed info

  • Internal vulnerability scan - performed from the vantage point inside the internal network

  • External vulnerability scan - performed from the vantage outside the network

  • When should it be scanned?

  • Spread out scans to run at specific times

  • Move scans to "off hours" to avoid interference

  • Specific regulations can dictate how frequently a vulnerability scan must be performed

  • Risk Appetite - organizations tolerance for exposure to vulnerability - low-risk appetite may be scanned more frequently

Running a Vulnerability Scan

Screenshot 2024-11-14 105338

  • Credentialed scan - valid auth credentials are supplied to the vulnerability scanner to mimic the work of a threat actor with those credentials

  • Non-credentialed scan - scan with no authentication info