Analyzing Vulnerability Scans

Calculating the Exploitability Score

Analysts may calculate the exploitability score for a vulnerability using this formula: Exploitability = 20 x AccessVector x AccessComplexity x Authentication

Calculating the Impact Score

Analysts may calculate the impact score for a vulnerability using this formula. Impact = 10.41 x (1 - (1 - Confidentiality) x (1 - Integrity) x (1 - Availability)

Internet of Things (IoT)

Analysts may encounter the use of supervisory control and data acquisition (SCADA) systems, industrial control systems (ICSs), and other examples of the Internet of Things (IoT). - These systems allow the connection of physical devices and processes to networks and provide tremendous sources of data for organizations seeking to make their business processes more efficient and effective. *However, they also introduce new security concerns that may arise on vulnerability scans. As with any other device on a network, IoT devices may have security vulnerabilities and are subject to network-based attacks. However, it is often more difficult to patch IoT devices than it is to patch their traditional server counterparts because it is difficult to obtain patches. - IoT device manufacturers may become aware of an update is through a vulnerability scan or by proactively subscribing to the security bulletins issued by IoT device manufacturers. IoT devices also often have unique character

Missing Patches

Applying security patches to systems should be one of the core practices of any information security program, but this routine task if often neglected due to a lack of resources for preventive maintenance. - One of the most common alerts from a vulnerability scan is that one or more systems on the network are running an outdated version of an operating system or application and require security patch(es). *Testers may take advantage of these missing patches and exploit operating system weaknesses.

Arbitrary Code Executiojn

Arbitrary Code Execution vulnerabilities allow an attacker to run software of their choice on the targeted system. - This can be a catastrophic event, particularly if the vulnerability allows the attacker to run the code with administrative privileges. Remote code execution vulnerabilities are an even more dangerous subset of code execution vulnerabilities because the attacker can exploit the vulnerability over a network connection without having physical or logical access to the target system.

Virtual Network Issues

As data centers become increasingly virtualized, a significant amount of network traffic never actually touches a network. - Communication between virtual machines that reside on the same physical hardware can occur in memory without ever touching a physical network. For this reason, virtual networks must be maintained with the same attention to security that administrators would apply to physical networks. *This includes the use of virtual firewalls to control the flow of information between systems and the isolation of systems of differing security levels on different virtual network segments.

Buffer Overflows

Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program's use. - The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system. Buffer overflow attacks are quite commonplace and tend to persist for many years after they are initially discovered.

Server and Endpoint Vulnerabilities

Computer systems are quiet complex. - Operating systems run on both servers and endpoints comprising millions of lines of code, and the differing combinations of applications they run makes each system fairly unique. It's no surprise, therefore, that many of the vulnerabilities detected by scans exist on server and endpoint systems, and these vulnerabilities are often among the most complex to remediate. - This makes them attractive targets for penetration testers.

Virtual Guest Issues

Cybersecurity analysts should think of each guest machine running in a virtualized environment as a separate server that requires the same security attention as any other device on the network. - Guest operating systems and applications running on the guest OS must be promptly patched to correct security vulnerabilities and otherwise well maintained. *There's no difference from a security perspective between a physical server and a virtualized server.

Vulnerabilities that can be detected by a Scanning System

Each vulnerability scanning system contains plug-ins able to detect thousands of possible vulnerabilities, ranging from major SQL injection flaws in web applications to more mundane information disclosure issues with network devices.

Spectre and Meltdown

Hardware may also contain intrinsic vulnerabilities that can be quite difficult to remediate. These vulnerabilities, named Spectre and Meltdown, exploit a feature of the chips known as speculative execution to allow processes to gain access to information reserved for other processes. *Detecting hardware-related vulnerabilities often requires the use of credentialed scanning, configuration management tools, or other approaches that leverage inside access to the system. - When significant new vulnerabilities are discovered, scanning vendors often provide a customized dashboard to assist cybersecurity analysts in identifying, tracking, and remediating the issue.

Internal IP Disclosure

IP addresses come in two different variants: Public IP addresses, which can be routed over the internet, and Private IP addresses, which can only be used on local networks. Any server that is accessible over the Internet must have a public IP address to allow that access, but the public IP address is typically managed by a firewall that uses the Network Address Translation (NAT) protocol to map the public address to the server's true, private IP address. - Systems on the local network can use the server's private addresses to access it directly, but remote systems should never be aware of that address. Servers that are not properly configured may leak their private IP addresses to remote systems. - This can occur when the system includes its own IP address in the header information returned in the response to an HTTP request. - The server is not aware that NAT is in u se, so it uses the private address in its response. *Attackers and penetration testers can use this information

Cross-site scripting

In a cross-site scripting (XSS) attack, an attack embeds scripting commands on a website that will alter be executed by an unsuspecting visitor accessing the site. - The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party. (Analysts discovering potential XSS vulnerabilities during a scan should work with developers to assess the validity of the result and implementation appropriate controls to prevent this type of attack, such as implementing input validation.

Documented Exceptions

In some cases, an organization may decide not to remediate a vulnerability for one reason. Unless analysts take some action to record these exceptions, vulnerability scans will continue to report them each time a scan runs. - It's good practice to document exceptions in the vulnerability management system so that the scanner knows to ignore them in future reports. *This reduces the level of noise in scan reports and increases their usefulness to analysts.

Injection Attacks

Injection attacks occur when an attacker is able to send commands through a web server to a backend system, bypassing normal security controls and fooling the backend system into believing that the request came from the web server. - The most common form of this attack is the SQL injection attack, which exploits web applications to send unauthorized commands to a backend database server. (Web applications often receive input from users and use it to compose a database query that provides results that are sent back to a user). The two best ways to protect against SQL injection attacks are input validation and the enforcement of least privilege restrictions on database access: - Input validation ensures that users don't provide unexpected text to the web server. - Least privilege restricts the tables that may be accessed to a web server and can prevent the retrieval of credit card information by a process designed to handle catalog information requests. (Vulnerability scanners c

Trend Analysis

Managers should watch overall trends in vulnerabilities, including the number of new vulnerabilities arising over time, the age of existing vulnerabilities, and the time required to remediate vulnerabilities.

Debug Modes

Many application development platforms support debug modes that give developers crucial information needed to troubleshoot applications in the development process. - Debug modes typically provide detailed information on the inner working of an application and server as well as supporting databases. Although this information can be useful to developers, it can inadvertently assist an attacker seeking to gain information about the structure of a database, authentication mechanisms used by an application, or other details.

Firmware Vulnerabilities

Many hardware devices contain firmware: computer code stored in nonvolatile memory on the device, where it can survive a reboot of the device. - Firmware often contains the device's operating system and/or configuration information. (This code may contain vulnerabilities) (In many cases, this code resides out of sight of the IT team since it is initially provided by the manufacturer and often both lacks an automatic update mechanism and any integration with enterprise monitor the firmware in use in their organizations and develop an updating procedure that applies security updates as they are released. For penetration testers, firmware vulnerabilities present a unique opportunity because they often remain unpatched. - A tester may use a firmware vulnerability in a nonstandard computing device to gain a foothold on a network and then pivot to other systems.

Insecure Protocol Use

Many of the older protocols used on networks in the early days of the Internet were designed without security in mind. - They often failed to use encryption to protect usernames, passwords, and the content sent over an open network, exposing the users of the protocol to eavesdropping attacks. - Telnet is one example of an insecure protocol used to gain command line access to a remote server. - The File Transfer Protocol (FTP) provides the ability to transfer files between systems but does not incorporate security features. (The solution is to simply switch to a more secure protocol. - Encrypted alternatives exist for both Telnet and FTP. - System administrators can use the Secure Shell (SSH) as a secure replacement for Telnet when seeking to gain command-line access to a remote system. - The Secure File Transfer Protocol (SFTP) and FTP-Secure (FTPS) both provide a secure method to transfer files between systems.

Virtual Private Network Issues

Many organizations use virtual private networks (VPNs) to provide employees with secure remote access to the organization's network. - As with any application protocol, administrators must ensure that the VPN services offered by the organization are fully patched to current levels. *VPNs require the use of cryptographic ciphers and suffer from similar issues as SSL and TLS when they support the use of insecure ciphers.

Categorizing CVSS Base Scores

Many vulnerability scanning systems further summarize CVSS results by using risk categories rather than numeric risk ratings. Ex: Nessus risk rating scale:

Mobile Device Security

Mobile devices have a host of security issues of their own and must be carefully managed and patched to remain secure. The admins of mobile devices can use a mobile device management (MDM) solution to manage the configuration of those devices, automatically installing patches, requiring the use of encryption, and providing remote wiping functionality. - MDM solutions may also restrict the applications that can be run on a mobile device to those that appear on an approved list. (Mobile devices do not typically show up on vulnerability scans because they are not often sitting on the network when those scans run. - Therefore, administrators should pay careful attention to the security of those devices, even when they do not show up as requiring attention after a vulnerability scan.

Network Vulnerabilities

Modern interconnected networks use a complex combination of infrastructure components and network appliances to provide widespread access to secure communications capabilities. - These networks and their component parts are also susceptible to security vulnerabilities that may be detected during a vulnerability scan.

Virtualization Vulnerabilities

Most modern data centers make extensive use of virtualization technology to allow multiple guest systems to share the same underlying hardware. - In virtualized data center, the virtual host hardware runs a special operating system known as a hypervisor that mediates access to the underlying hardware resources. Virtual machines then run on top of this virtual infrastructure provided by the hypervisor, running standard operating systems such as Windows and Linux variants. - The virtual machines may not be aware that they are running in a virtualized environment because the hypervisor tricks them into thinking that they have normal access to the underlying hardware when, in reality, that hardware is shared with other systems.

Privilege Escalation

Privilege escalation attacks seek to increase the level of access that an attacker has to a target system. - They exploit vulnerabilities that allow the transformation of a normal user account into a more privileged account, such as the root superuser account.

Insecure Cipher Use

SSL and TLS allow administrators to designate the cryptographic ciphers that can be used with those protocols on a server-by-server basis. - When a client and server wish to communicate using SSL/TLS, they exchange a list of ciphers that each system supports and agree on a mutually acceptable cipher. Some ciphers contain vulnerabilities that render them insecure because of their susceptibility to eavesdropping attacks. (Solving this problem requires altering the set of supported ciphers on the affected server and ensuring that only secure ciphers may be used.

Certificate Problems

SSL and TLS rely on the use of digital certificates to validate the identity of servers and exchange cryptographic keys. (These errors often contain extremely important information about the security of the site being accessed) *Vulnerability scans may also detect issues with certificates presented by servers that support SSL and/or TLS. Common errors include: - Mismatch between the Name of the Certificate and the Name of the server: A serious error since it may indicate the use of a certificate taken from another site. (The digital equivalent of someone using a fake ID "borrowed" from a friend). - Expiration of the Digital Certificate: Digital certificates have validity periods and expiration dates. When there is an expired certificate, it most likely means that the server administrator failed to renew the certificate in a timely manner. - Unknown Certificate Authority (CA): Anyone can create a digital certificate, but digital certificates are only useful if the recipient of a

Outdated SSL/TLS Versions

SSL is no longer considered secure and should not be used on production systems. - The same is true for early versions of TLS. Vulnerability scanners may report that web servers are using these protocols, and cybersecurity analysts should understand that any connections making use of these outdated versions of SSL and TLS may be subject to eavesdropping attacks. *The administrators of servers supporting outdated versions of SSL and TLS should disable for these older protocols on their servers and support only newer protocols, such as TLS version 1.2.

Unsupported Operating Systems and Applications

Software vendors eventually discontinue support for every product they make. - This is true for operating systems as well as applications. Once the vendor announces the final end of support for a product, organizations that continue running the outdated software put themselves at a significant risk of attack. The vendor simply will not investigate or correct security flaws that arise in the product after that date. - Organizations continuing to run the unsupported product are on their own from a security perspective, and unless a team of operating system developers are used for maintenance, it is not a good situation. *Reports of unsupported software are a treasure trove of information. - They're difficult for IT teams to remediate and offer a potential avenue of exploitation. (In cases where the organization must continue using an unsupported operating system, best practice dictates isolating the system as much as possible, preferably not connecting it to any network, and a

Calculating the Base Score

The CVSS base score can be calculated using this formula:

Summarizing CVSS Scores

The CVSS vector provides a good detailed information on the nature of the risk posed by a vulnerability, but the complexity of the vector makes it difficult to use in prioritization exercises. - For this reason, analysts can calculate the CVSS base score, which is a single number representing the overall risk posed by the vulnerability. *Arriving at the base score requires first calculating the exploitability score, impact score, and impact function.

CVSS Vector Output

The CVSS vector uses a single-line format to convey the ratings of a vulnerability on all six metrics. Example of a CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N (In this example, the vulnerability received the following ratings: - Access Vector: Network (score: 1.000) - Access Complexity: Medium (score: 0.610) - Authentication: None (Score: 0.704) - Confidentiality: Partial (Score: 0.275) - Integrity: None (Score: 0.000) - Availability: None (Score: 0.000)

Understanding CVSS

The Common Vulnerability Scoring System (CVSS) is an industry standard for accessing the severity of security vulnerabilities . *Cybersecurity analysts often use CVSS ratings to prioritize response actions. Analysts scoring a new vulnerability begin by rating the vulnerability on six different measures: - Access vector - Access complexity - Authentication - Confidentiality - Integrity - Availability Each measure is given both a descriptive rating and a numeric score. - The first three measures evaluate the exploitability of the vulnerability, whereas the last three evaluate the impact of the vulnerability.

Domain Name System

The Domain Namae System (DNS) provides a translation service between domain names and IP addresses. - DNS allows end users to remember user-friendly domain names, such as apple.com, and not worry about the mind-numbing IP addresses actually used by those servers. DNS has a track record of many serious security vulnerabilities and requires careful configuration and patching. - Because DNS vulnerabilities are so prevalent, DNS servers are a common first target for attackers and penetration testers alike.

SSL and TLS Issues

The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), offer a secure means to exchange information over the Internet and private networks. - Although these protocols can be used to encrypt almost any type of network communications, they are most commonly used to secure connections to web servers and are familiar to end users designated by the S in HTTPS.

Access Complexity Metric

The access complexity metric describes the difficulty of exploiting the vulnerability.

Access Vector Metric

The access vector metric describes how an attacker would exploit the vulnerability.

Authentication Metric

The authentication metric describes the authentication hurdles that an attacker would need to clear to exploit a vulnerability.

Availability Metric

The availability metric describes the type of disruption that might occur if an attacker successfully exploits the vulnerability.

Confidentiality Metric

The confidentiality metric describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability.

Determining the Impact Function Value

The impact function is a simple check. If the impact score is 0, the impact function value is also 0. - Otherwise, the impact function is 1.176.

Integrity Metric

The integrity metric describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability.

POS (Point-Of-System) Vulnerabilities

The point-of-sale (POS) systems found in retail stores, restaurants, and hotels are lucrative targets for attackers and penetration testers alike. - These systems often store, process, and/or transmit credit card information, making them highly valuable in the eyes of an attacker seeking financial gain. POS systems commonly run either standard or specialized versions of common operating systems, with many running variants of Microsoft Windows. *POS systems involved in credit and debit card transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS), which outlines strict, specific rules for the handling of credit card information and the security of devices involved in those transactions.

False positives

The scanner might not have sufficient access to the target system to confirm a vulnerability, or it might simply have an error in a plug-in that generates an erroneous vulnerability report. - When a scanner reports a vulnerability that does not exist, this is known as a false positive error. Analysts should confirm each vulnerability reported by a scanner. - Sometimes, it may be as simple as verifying that a patch is missing or an operating system is outdated. (Other times, verifying a vulnerability requires a complex manual process that simulates an exploit). *When verifying a vulnerability, analysts should draw on their own expertise as well the subject matter expertise of others throughout the organization.

VM Escape

Virtual machine escape vulnerabilities are the most serious issue that may exist in a virtualized environment, particularly when a virtual host runs systems with differing security levels. In an escape attack, the attacker has access to a single virtual host and then manages to leverage that access to intrude on the resources assigned to a different virtual machine. - The hypervisor is supposed to prevent this type of intrusion by restricting a virtual machine's access to only those resources assigned to that machine. *Escape attacks allow a process running on the virtual machine to "escape" those hypervisor restrictions.

Management Interface Access

Virtualization engineers use the management interface for a virtual infrastructure to configure the virtualization environment, set up new guest machines, and regulate access to resources. This management interface is extremely sensitive from a security perspective, and access should be tightly controlled to prevent unauthorized individuals from gaining access. Professionals should ensure that the interface is never directly accessible from a public network. - Vulnerability scans that detect the presence of an accessible management interface will report this as a security concern.

Virtual Host Patching

Virtualization platforms receive security updates that may affect the security of virtual guests or the entire platform. - Patches may correct vulnerabilities that allow virtual machine escape attacks or other security flaws.

Interpreting Scan Results

Vulnerability scanners provide detailed information about each vulnerability that they identify. At the top of the report (labeled A), there are two critical details: the name of the vulnerability, expressed as a general category, such as low, medium, high, or critical. (This example shows the scanner reporting a server's secure shell (SSH) service supports weak encryption algorithms, assigned to the medium severity category) Section B, the report provides a detailed description of the vulnerability. (Descriptions can be several paragraphs long depending on the complexity of the vulnerability. - This case shows the description informing that the server's SSH service only supports the insecure Arcfour stream cipher and explains that this service has an issue with weak encryption keys. Section C of the report provides a solution to the vulnerability. (When possible, the scanner offers detailed information about how system administrators, security professionals, network engineer

Missing Firmware Updates

Vulnerability scans may also detect security problems in the network devices that require firmware updates from the manufacturer to correct.

Web Application Vulnerabilities

Web application are complex environments that often rely not only on web servers but also on backend databases, authentication servers, and other components to provide services to end users. - These web applications may also contain security holes that allow attackers to gain a foothold on a network, and modern vulnerability scanners are able to probe web applications for these vulnerabilities.

Reconciling Scan Results with Other Data Sources

When available to a penetration tester, the following information sources may contain valuable information: - Logs from servers, applications, network devices, and other sources that might contain information about possible attempts to exploit detected vulnerabilities. - Security Information and Event Management (SIEM) systems that correlate log entries from multiple sources and provide actionable intelligence. - Configuration management systems that provide information on the operating system and applications installed on a system. Each of these information sources can prove invaluable when a penetration tester attempts to reconcile a scan report with the reality of the organization's computing environment.

Hardware Flaws

While most vulnerabilities affect operating systems and applications, occasionally vulnerabilities that