CEHv10 Vulnerability Analysis

Working of Vulnerability Scanning Solutions

Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques. Performing service discovery on them: After detecting live hosts in the target network, the next step is to enumerate open ports and services on the target systems. Testing those services for known vulnerabilities: Finally, after identifying open services, these services are tested for known vulnerabilities

Resources for Vuln Research

Microsoft Vulnerability Research (MSVR) (https://technet.microsoft.com) Security Magazine (https://www.securitymagazine.com) SecurityFocus (https://www.securityfocus.com) Help Net Security (https://www.net-security.org) HackerStorm (http://www.hackerstorm.co.uk) SC Magazine (https://www.scmagazine.com) Computerworld (https://www.computerworld.com) WindowsSecurity (http://www.windowsecurity.com) Exploit Database (https://www.exploit-db.com) CVE Details (https://www.cvedetails.com) Security Tracker (https://securitytracker.com) Vulnerability Lab (https://www.vulnerability-lab.com) D'Crypt (https://www.d-crypt.com) Trend Micro (https://www.trendmicro.com) Rapid7 (https://www.rapid7.com) Dark Reading (https://www.darkreading.com

Limitations of Vulnerability Assessment

- Vulnerability-scanning software is limited in its ability to detect vulnerabilities at a given point in time. - Vulnerability-scanning software must be updated when new vulnerabilities are discovered or improvements are made to the software being used. - Software is only as effective as the maintenance performed on it by the software vendor and by the administrator who uses it. - It does not measure the strength of security controls. - Vulnerability-scanning software itself is not immune to software engineering flaws that might lead to missing serious vulnerabilities.

Criteria for Vuln Assessment Tools

-Types of vulnerabilities being assessed: -Testing capability of scanning: -Ability to provide accurate reports: -Efficient and accurate scanning: -Capability to perform smart search: -Functionality for writing own tests -Test run scheduling

Vulnerability Assessment Types

1. Active- network scanner 2. Passive- sniffer 3. External- from internet 4. Internal- intranet 5. Host-based 6. Network 7. Application- testing web infrastructure 8. Wireless network

Vulnerability Classification

1. Misconfig 2. Default installations 3. Buffer overflows 4. Unpatched svr 5. Design flaws 6. OS flaws 7. App flaws 8. Open svc 9. Default pwd

OpenVAS

A framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The actual security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs), over 50,000 in total. multi-service & multi-tool vulnerability scanner/manager

Common Vulnerabilities & Exposures (CVE)

A publicly available and free to use list or dictionary of standardized identifiers for common software vulnerabilities and exposures. List of standardized identifiers for common SW vulnerabilities & exposures One identifier for one vulnerability or exposure One standardized description for each vulnerability or exposure A dictionary rather than a database How disparate databases and tools can "speak" the same language The way to interoperability and better security coverage A basis for evaluation among services, tools, and databases Free for public to download and use Industry-endorsed via the CVE Numbering Authorities, CVE Board, and numerous products and services that include CVE

Host-Based Assesment

A type of security check that involves carrying out a configuration-level check through the command line. Scanners assess systems to identify vulnerabilities such as incorrect registry and file permissions, as well as software configuration errors.

Nessus Pro

An assessment solution for identifying vulnerabilities, configuration issues, and malware that attackers use to penetrate networks. -supports various technologies such as operating systems, network devices, hypervisors, databases, tablets/phones, web servers and critical infrastructure Features: High-speed asset discovery Vulnerability assessment Malware/Botnet detection Configuration and compliance auditing Scanning and auditing of virtualized and cloud platforms

Vulnerability Assessment

An examination of the ability of a system or application, including current security procedures and controls, to withstand assault. scan networks for known security weaknesses.

Application Flaws

Applications should be secured using validation and authorization of the user. it is important for developers to understand the anatomy of common security vulnerabilities and develop highly secure applications by providing proper user validation and authorization

Unpatched Servers

As these are a hub for the attackers, they serve as an entry point into the network. Updating software regularly and maintaining systems properly by patching and fixing bugs can help in mitigating vulnerabilities caused due to unpatched servers.

Vulnerability Assessment: Tree-Based

Basically each step is decided by an admin pg 147

Qualys Vulnerability Mgmt

Cloud-based svc built to ID threats and monitor changes Features -Agent-based detection -Constant monitoring and alerts -Comprehensive coverage and visibility -VM for the perimeter-less world -Discover forgotten devices and organize your host assets -Scan for vulnerabilities everywhere, accurately and efficiently -Identify and prioritize risks -Remediate vulnerabilities

Vulnerability Management Life Cycle

Create baseline Vuln assessment Risk Assessment Remediation Verification Monitor pg 144

Types of Vuln Assessment Tools

Host-Based- scanning tools are apt for servers that run various applications such as the web, critical files, databases, directories, and remote accesses. Depth -used to find and identify previously unknown vulnerabilities in a system. Application-Layer - designed to serve the needs of all kinds of operating system types and applications. Scope -provides assessment of the security by testing vulnerabilities in the applications and operating system. -Some assessment tools are designed to test a specific application or its type for vulnerability. Active/Passive -Active scanners perform vulnerability checks on the network that consume resources on the network. Location/Data -o Network-Based Scanner: Network-based scanners are those that interact only with the real machine where they reside and give the report to the same machine after scanning. -o Agent-Based Scanner: Agent-based scanners reside on a single machine but have the ability to scan a number of machines on the same network. -o Proxy Scanner: Proxy scanners are the network-based scanners that have the ability to scan networks from any machine in the network. -o Cluster scanner: Cluster scanners are similar to proxy scanners but have the ability to perform two or more scans on different machines simultaneously in the network.

SAINT

Identify Software vulnerability & patch deficiencies, web app vulnerability, risk exposures, state of AV installs, config assessments etc As a vulnerability assessment solution, security research and development efforts focus on investigation, triage, prioritization and coverage of vulnerabilities of the highest severity. It performs risk analysis, and remediation and continuous monitoring. vulnerability management capabilities identify operating system and software vulnerabilities and patch deficiencies, Microsoft Patch Tuesday assessments, web applications vulnerabilities and risk exposures, state of anti-virus installations, configuration assessments based on industry-standard best-practices, exposure of sensitive content

Default Installations

In some cases, infected devices may not contain any valuable information but they are connected to networks or systems that have confidential information that would result in a data breach. Not changing the default settings while deploying the software or hardware allows the attacker to guess the settings in order to break into the systems

Pre-Assessment Phase: Creating a Baseline

In this phase, critical assets are identified and prioritized to create a good baseline for the vulnerability management. 1. ID & understand business processes 2. ID supporting apps, data & services 3. Asset inventory & prioritization 4. Map network 5. ID controls already in place 6. Understand policy implementation & standards compliance 7. Define scope of assessment 8. Create info protection procedures pg 144

Vulnerability Assessment: Product-Based

Installed in private (non-routable) space. May not detect outside attacks if sitting behind FW. pg 146

Microsoft Baseline Security Analyzer (MBSA)

Lets admins scan local & remote systems for missing updates & common security configs A tool designed for IT professionals and helps small-and medium-sized businesses to determine their security state in accordance with Microsoft security recommendations.

Default Passwords

Manufacturers provide default passwords to the users to access the device during initial set-up and users need to change the passwords for future use. Passwords should be kept secret; failing to protect the confidentiality of a password allows the system to be compromised with ease.

Common Vuln Scoring System (CVSS)

Open framework for communicating the characteristics & impacts of IT vulnerabilities well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. uses are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one's systems. provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Open Services

Open ports and services may lead to loss of data, DoS attacks and allow attackers to perform further attacks on other connected devices. Administrators need to continuously check for unnecessary or insecure ports and services to reduce the risk on the network.

Vuln Assessment Tools: Mobile

Retina CS for Mobile, SecurityMetrics Mobile, Nessus, IP Tools, Network Scanner

Post-Assessment Phase

Risk assessment - Risk Assessment In this phase, all the serious uncertainties that are associated with the system are assessed, fixed, and permanently eliminated for ensuring a flaw free system. -summarizes the vulnerability and risk level identified for each of the selected asset. -determines the risk level for a particular asset, whether it is high, moderate or low. Remediation - the process of reducing the severity of vulnerabilities. This phase is initiated after the successful implementation of the baseline and assessment steps. Verification - This phase provides a clear visibility into the firm and allows the security team to check whether all the previous phases are perfectly employed or not. -can be performed by using various means such as ticking systems, scanners, reports Monitoring -Regular monitoring needs to be performed for maintaining the system security using tools such as IDS/IPS, firewalls, etc. Continuous monitoring identifies potential threats and any new vulnerabilities that have evolved.

Vuln Assessment Reports

Scan info Target info Results Facilitates risk identification/assessment/prioritization/remediation pg 158

Qualys Free Scan

Scans network, servers, dekstops & web apps Features: Scans computers and apps on the Internet or in the network Detects security vulnerabilities and the patches needed to fix them Enables viewing of interactive scan reports by threat or by patch Tests websites and apps for OWASP Top Risks and malware Tests computers against SCAP security benchmarks

Vulnerability Assessment: Inference-Based

Scans ports & services to determine relevant tests pg 147

GFI LanGuard

Scans, detects, assesses and rectifies vulns It scans your operating systems, virtual environments and installed applications through vulnerability check databases. It enables you to analyze the state of your network security, identify risks and address how to take action before it is compromised. Features: Patch management for operating systems and third-party applications Vulnerability assessment Web reporting console Track latest vulnerabilities and missing updates Integration with security applications Network device vulnerability checks

Automated Vulnerability Detection System (AVDS)

Tests every node according to its characteristics and records system responses to reveal security issues A network vulnerability assessment appliance for networks of 50 to 200,000 nodes. It performs an in-depth inspection for security weaknesses that can replace exhaustive penetration testing. With each scan, it will automatically find new equipment and services and add them to the inspection schedule It conducts automated vulnerability assessment scans daily, weekly or monthly, or on ad-hoc basis. It records results and generates vulnerability trends for your entire WAN, a LAN or a single IP address. W

Vulnerability Research

The race against attackers to find your weaknesses. Classified based on Severity Level (L,M,H) and Exploit Range (local vs remote) To gather information about security trends, threats, and attacks To find weaknesses, and alert the network administrator before a network attack To get information that helps prevent the security problems To know how to recover from a network attack

Operating System Flaws

These attacks are performed by using malicious code, script or unwanted software, which result in loss of sensitive information and loss of control on computer operations. Timely patching of OS, installing minimum software applications and use of applications with firewall capabilities are essential steps that an administrator needs take to protect OS from any attack.

Vulnerability Assessment: Service-Based

Third Party solutions; some are hosted in-network, some out of network. Attacker use could audit a network from outside. pg 146

Vulnerability Assessment Phase

This is a very crucial phase in vulnerability management. In this step, the security analyst identifies the known vulnerabilities in the organization infrastructure. 1. Evaluate physical security 2. Check for misconfigs & human error 3. Vuln scans 4. ID & prioritize vulns 5. Apply business & tech context to scan results 6. Validate vulns through OSINT 7. Generate vuln scan report pg 145

National Vuln Dbase (NVD)

U.S. govt repository of standards-based vuln mgmt. data using Security Content Automation Protocol (SCAP). Enables automation of vuln mgmt, security measurement & compliance. Includes DBs of security checklist references, SW flaws, misconfigs, product names & impact metrics.

Nikto

Web server assessment Features: SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL) Full HTTP proxy support Checks for outdated server components Saves reports in plain text, XML, HTML, NBE or CSV Template engine to easily customize reports Scans multiple ports on a server, or multiple servers via input file LibWhisker's IDS encoding techniques Identifies installed software via headers, favicons and files Host authentication with Basic and NTLM Subdomain guessing Apache and cgiwrap username enumeration Scan tuning to include or exclude entire classes of vulnerability checks Guesses credentials for authorization realms (including many default id/pw combos)

Buffer Overflow

common software vulnerabilities that happen due to coding errors allowing attackers to get access to the target system. In an attack, attackers undermine the functioning of programs and try to take the control of the system by writing content beyond the allocated size of the buffer. Insufficient bounds checking in the program is the root cause because of which the buffer is not able to handle data beyond its limit, causing the flow of data to adjacent memory locations and overwriting their data values. Systems often crash or become unstable or show erratic program behavior, when buffer overflow occurs

Retina CS

content-aware vuln assessment & risk analysis A vulnerability management software solution designed to provide organizations with context-aware vulnerability assessment and risk analysis. -result-oriented architecture works with users to proactively identify security exposures, analyze business impact, and plan and conduct remediation across disparate and heterogeneous infrastructure Enterprise Vulnerability Management software enables you to: Discover network, web, mobile, cloud, virtual and IoT infrastructure Profile asset configuration and risk potential Pinpoint vulnerabilities, malware and attacks Analyze threat potential and return on remediation Remediate vulnerabilities via integrated patch management (optional) Report on vulnerabilities, compliance, benchmarks, etc. Protect endpoints against client-side attacks

Design Flaws

incorrect encryption or poor validation of data, refer to logical flaws in the functionality of the system that is exploited by the attackers to bypass the detection mechanism and acquire access to a secure system.

Misconfiguaration

most common vulnerability that is mainly caused by human error, which allows attackers to gain unauthorized access to the system ways: o An application running with debug enabled o Outdated software running on the system o Running unnecessary services on a machine o Using misconfigured SSL certificates and default certificates o Improperly authenticated external systems o Disabling security settings and features