CompTIA Cybersecurity Analyst (CySA+) 2.0 Vulnerability Management

Agent Based Scanner

(or serverless) vulnerability scanners are typically better for scanning mobile devices. They have agents that run on each protected host and report their results back to the central scanner.

- Asset inventory

-Critical - Non-critical

(MOU) Memorandum of Understanding

A document that defines and outlines the duties and expectations of all concerned parties in situations where a legal contract is not necessary or appropriate, such as where both parties work for the same overall organization.

Unauthenticated Scan

A form of vulnerability scan that tests the target systems without having passwords or other special information that would grant the scanner special privileges. This allows the scan to run from the perspective of an attacker but also limits the ability of the scanner to fully evaluate possible vulnerabilities.

PCI DSS (Payment Card Industry Data Security Standard)

A global standard for protecting stored, processed, or transmitted payment card information.

Gramm-Leach-Bliley Act (GLBA)

A law that requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information. It does not specifically require that an organization conduct vulnerability scanning.

- Credentialed vs. non-credentialed

A non-credentialed vulnerability scan evaluates the system from the perspective of an outsider, such as an attacker just beginning to interact with a target. This is a sort of black-box test in which the scanning tool doesn't get any special information or access into the target. The advantage of this approach is that it tends to be quicker while still being fairly realistic. It may also be a bit more secure because there is no need for additional credentials on all tested devices. The disadvantage, of course, is that you will most likely not get full coverage of the target. Non-credentialed scans look at systems from the perspective of the attacker but are not as thorough as credentialed scans.

Nessus

A popular and powerful scanner, began its life as an open source and free utility in the late 1990s and has since become a top choice for conducting vulnerability scans. With over 80,000 plug-ins, it allows users the ability to schedule and conduct scans across multiple networks based on custom policies. Its real power, however, lies with its multitude of features for vulnerability identification, misconfiguration detection, default password usage, and compliance determination.

(SLA)

An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.

- Data classification

An important item of metadata that should be attached to all data is a classification level. This classification tag is important in determining the protective controls we apply to the information. •Private Information whose improper disclosure could raise personal privacy issues •Confidential Data that could cause grave damage to the organization •Proprietary (or sensitive) Data that could cause some damage, such as loss of competitiveness to the organization •Public Data whose release would have no adverse effect on the organization

- Permissions and access

Apart from the considerations in a credentialed scan discussed already, the scanning tool must have the correct permissions on whichever hosts it is running, as well as the necessary access across the network infrastructure. It is generally best to have a dedicated account for the scanning tool or, alternatively, to execute it within the context of the user responsible for running the scan. In either case, minimally privileged accounts should be used to minimize risks (that is, do not run the scanner as root unless you have no choice).

Missing Patches

Applying security patches to systems should be one of the core practices of any information security program, but this routine task is often neglected due to a lack of resources for preventive maintenance. One of the most common alerts from a vulnerability scan is that one or more systems on the network are running an outdated version of an operating system or application and require security patch(es).

• Validate results and correlate other data points

Armed with the feedback from the vulnerability scan reports, it can straightforward to verify its results. - Compare to best practices or compliance - Reconcile results - Review related logs and/or other data sources - Determine trends

• Identification of requirements

As an organization begins developing a vulnerability management program, it should first undertake the identification of any internal or external requirements for vulnerability scanning. These requirements may come from the regulatory environment(s) in which the organization operates and/or internal policy-driven requirements.

- Prioritizing

As cybersecurity analysts work their way through vulnerability scanning reports, they must make important decisions about prioritizing remediation to use their limited resources to resolve the issues that pose the greatest danger to the organization. There is no cut-and-dry formula for prioritizing vulnerabilities. Rather, analysts must take several important factors into account when choosing where to turn their attention first. - Criticality - Difficulty of implementation

- Review and interpret scan results

Automated vulnerability reporting is never perfectly accurate. The CySA must review and make sense of it before passing it on to others in the organization. The two most important outcomes of this process are to identify false positives and exceptions to policies. Once entries in these categories are removed from consideration, one must then prioritize response actions.

- Sandboxing/testing

Before deploying any remediation activity, CySA's and other technologists should thoroughly test their planned fixes in this environment. It allows technologists to identify any unforeseen side effects of the fix and reduces the likelihood ​that remediation activities will disrupt business operations or cause damage to the organization's information assets.

2.1 Given a scenario, implement an information security vulnerability management process.

CompTIA

Exposure of the Vulnerability

CySA's should also consider how exposed the vulnerability is to potential exploitation. For example, if an internal server has a serious SQL injection vulnerability but that server is accessible only from internal networks, remediating that issue may take a lower priority than remediating a less severe issue that is exposed to the Internet and, therefore, more vulnerable to external attack.

- Determine scanning criteria

Cybersecurity professionals depend on automation to help them perform their duties in an efficient, effective manner. Vulnerability scanning tools allow the automated scheduling of scans to take the burden off administrators.

Difficulty of Remediating the Vulnerability

If fixing a vulnerability will require an inordinate commitment of human or financial resources, that should be factored into the decision-making process. Cybersecurity analysts may find that they can fix five issues rated numbers 2 through 6 in priority order for the same investment that would be required to address the top issue. This doesn't mean that they should necessarily choose to make that decision based on cost and difficulty alone, but it is a consideration in the prioritization process.

• Establish scanning frequency

If you haphazardly do vulnerability scans at random intervals, you will have a much harder time answering the question of whether or not your vulnerability management is being effective. If, on the other hand, you do the math up front and determine the frequencies and scopes of the various scans given your list of assumptions and requirements, you will have much more control over your security posture.

(XCCDF) Extensible Configuration Checklist Description Format

Is a language for specifying checklists and reporting checklist results

(OVAL) Open Vulnerability and Assessment Language

Is a language for specifying low-level testing procedures used by checklists

• Network appliances

Modern interconnected networks use a complex combination of infrastructure components and network devices to provide widespread access to secure communications capabilities. These networks and their component parts are also susceptible to security vulnerabilities that may be detected during a vulnerability scan.

• Execute scanning

Modern scanners cannot find weaknesses they're not aware of or do not understand. Although they can only identify weaknesses they're aware of, the most popular vulnerability scanners have amassed enormous libraries of vulnerabilities. We'll discuss three popular vulnerability scanners on the market: Tenable Network Security's Nessus, Greenbone Network's OpenVAS, and the Nikto Web Scanner.

- Automated vs. manual distribution

Modern vulnerability management tools provide very strong reporting capabilities. These reports may be manually generated on-demand to answer specific questions, or administrators may set up automated reports that generate on a scheduled basis and are pushed out to those who need to see them. Additionally, administrators may set up alerting mechanisms to immediately notify key personnel of critical new vulnerabilities as soon as they are detected.

• Configure tools to perform scans according to specification

Once security professionals have determined the basic requirements for their vulnerability management program, they must configure vulnerability management tools to perform scans according to the requirements-based scan specifications. These tasks include identifying the appropriate scope for each scan, configuring scans to meet the organization's requirements, and maintaining the currency of the vulnerability scanning tool.

• Virtual infrastructure

One of the biggest advantages of this computing is its efficiency. Many of our physical network devices spend a good part of their time sitting idle and thus underutilized. By utilizing this computing for devices and placing them on the same shared hardware, we can balance loads and improve performance at a reduced cost. - Virtual hosts - Virtual networks - Management interface

System Specific Security Policy

Presents the management's decisions that are specific to the actual computers, networks and applications

(CPE) Common Platform Enumeration

Provides a standard nomenclature for describing product names and versions.

(CVE) Common Vulnerabilities and Exposures

Provides a standard nomenclature for describing security-related software flaws

(CCE) Common Configuration Enumeration

Provides a standard nomenclature for discussing system configuration issues.

(CVSS) Common Vulnerability Scoring System

Provides a standardized approach for measuring and describing the severity of security-related software flaws

• Generate reports

Report generation is an important part of the incident response process and is particularly critical for vulnerability management. All vulnerability scanners perform reporting functions of some kind, but they don't all come with customization options. Nessus provides its reports in common formats such as PDF, HTML, and CSV. Additionally, you can also use Nessus's own formats. As an administrator, it's important that you consider what kinds of reporting your utility is capable of and how you might automate the reporting process. Getting the pertinent information to the right people in a timely fashion is the key to successfully capitalizing on vulnerability scans.

- Identify false positives

Reporting a problem when no such issue exists is a challenge when dealing with any type of scanner. With vulnerability scanners they are particularly frustrating because the effort required to remediate a suspected issue might be resource intensive.

Credentialed Scan

Scan in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network.

- Tool updates/plug-ins

Scanning systems do provide automatic updating capabilities that keep the scanner and its vulnerability feeds up to date. Organizations can and should take advantage of these features, but it is always a good idea to check in once in a while and manually verify that the scanner is updating properly.

- Vulnerability feed

Services that range from hours to weeks on the vast majority of known vulnerabilities.

- Compare to Best Practices or Compliance

Several benchmarks across industry, academia, and government are available for you to improve your network's security. On military networks, the most widely used set of standards is developed by the Defense Information Systems Agency (DISA). Its Security Technical Implementation Guides (STIGs), combined with the National Security Agency (NSA) guides, are the configuration standards used on DoD information systems.

Unsupported Operating Systems and Applications

Software vendors eventually discontinue support for every product they make. This is true for operating systems as well as applications. Once they announce the final end of support for a product, organizations that continue running the outdated software put themselves at a significant risk of attack. The vendor simply will not investigate or correct security flaws that arise in the product after that date. Organizations continuing to run the unsupported product are on their own from a security perspective, and unless you happen to maintain a team of operating system developers, that's not a good situation to find yourself in.

ISO/IEC 27001 (The International Organization for Standardization/International Electrotechnical Commission)

Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system. It is is arguably the most popular voluntary security standard in the world and covers every important aspect of developing and maintaining good information security.

National Vulnerability Database (NVD)

The U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. It includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

- Prioritize response actions

The aim is to have the most accurate information about your network because it means more confidence in the decisions made by your technical staff and company leadership. With vulnerability accurately identified and the most appropriate courses of action developed and refined through open lines of communication. You can rank responses that have minimal impact throughout the company.

Severity of the Vulnerability

The more severe an issue is, the more important it is to correct that issue. Analysts may turn to the Common Vulnerability Scoring System (CVSS), (a component of SCAP), to provide relative severity rankings for different vulnerabilities.

Degrading Functionality

The most common barrier to vulnerability scanning raised by technology professionals. Vulnerability scans consume network bandwidth and tie up the resources on systems that are the targets of scans. This may degrade system functionality and poses a risk of interrupting business processes. CySA's may address these concerns by tuning scans to consume less bandwidth and coordinating scan times with operational schedules.

• Servers

The most common vulnerability seen on this device stems from losing track of its purpose on the network and allowing it to run unnecessary services and ports. Another common vulnerability is the misconfiguration of services.

- Reconcile Results

The steps you take to configure a device, validate its configuration, verify its operation, and of course test vulnerabilities. Taking notes on how you uncovered and dealt with a vulnerability will aid in continuity, and it might be required based on the industry in which you operate.

Organizational Governance

The system of processes and rules an organization uses to direct and control its operations. It aims to strike a sensible balance between the priorities of company stakeholders. In some cases, governance may interrupt the application of remedial steps because those actions might negatively affect other business areas.

Virtual Hosts

Their most common vulnerability is VM sprawl. Since, unlike their physical counterparts, VMs can easily multiply. They should be completely isolated from the OS of the Host in which they are running. This should be implemented because if a process in the VM was able to breach this isolation and interact directly with the host, that process would have access to any other VMs running on that host, likely with elevated privileges.

Business Process Interruption

There's never a good time to apply a patch or take other remedial actions. Highly efficient business and industrial processes such as just-in-time manufacturing have allowed businesses to reduce process time and increase overall efficiency. Underpinning these systems are production IT systems that themselves are optimized to the business. A major drawback, however, is that some systems might be more susceptible to disruption due to their optimized states. This fear of unpredictably or instability in the overall process is often enough for company leadership to delay major changes to production systems, or to avoid them altogether.

- Identify exceptions

These always exists on even networks. There is no way for the authors of a vulnerability test to know the details of your network, so they must create rules that are sometimes less granular, which may lead to false positives. In this case, it might be useful to customize your own test once that false positive is discovered. Another reason for a false positive could be that you've already determined the appropriate compensating control for an issue but have not correctly disposed of the alert.

Criticality (of the System and Information Affected by the Vulnerability)

These measures should take into account CIA requirements, depending on the nature of the vulnerability. For example, if the vulnerability allows a denial-of-service attack, CYSA should consider the impact to the organization if the system became unusable due to an attack. If the vulnerability allows the theft of stored information from a database, CYSA should consider the impact on the organization if that information were stolen. EXAM TIP The Common Vulnerability Scoring System (CVSS) is the de facto standard for assessing the severity of vulnerabilities. Therefore, you should be familiar with CVSS and its metric groups: base, temporal, and environmental.

- Sensitivity levels

These settings determine the types of checks that the scanner will perform and should be customized to ensure that the scan meets its objectives while minimizing the possibility of disrupting the target environment.

Endpoints

They are almost always end-user devices (mobile or otherwise). They are the most common entry point for attackers into our networks, and the most common vectors are e-mail attachments and web links. Their most common problem is the lack of up-to-date malware protection.

• Endpoints

They are almost always end-user devices. Also, they are the most common entry point for attackers into our networks and the most common vectors are email attachments and web links. Another common vulnerability is system misconfiguration or default configurations. Though most modern OS's pay attention to security, they oftentimes err on the side of functionality.

Virtual Networks

They are commonly implemented in 2 ways: ways: internally to a host using network virtualization software within a hypervisor, and externally through the use of protocols such as the Layer 2 Tunneling Protocol (L2TP). A vulnerability in the hypervisor would allow an attacker to escape a VM. Once outside of the machine, the attacker could have access to the virtual networks implemented by the hypervisor. This could lead to eavesdropping, modification of network traffic, or denial of service. Still, at the time of this writing there are very few known actual threats to virtual networks apart from those already mentioned when we discussed common vulnerabilities in VMs.

Vulnerability Management Programs

They seek to identify, prioritize and remediate vulnerabilities before an attacker exploits them to undermine the confidentiality, integrity, or availability of enterprise information assets.

• Analyze reports from a vulnerability scan

Understanding why vulnerabilities exist and how they can be exploited will assist you in analyzing the final scan report. - Review and interpret scan results - Identify false positives - Identify exceptions - Prioritize response actions

Health Insurance Portability and Accountability Act of 1996 (HIPPA)

United States law enacted in 1996 to provide data privacy and security provisions for safeguarding medical information. It does not specifically require that an organization conduct vulnerability scanning. It establishes penalties (ranging from $100 to 1.5 million) for covered entities that fail to safeguard phi.

- Determine Trends

Using either the built-in trending functionality or with help from other software, you can track how vulnerabilities in the network have changed over time. This improves context and allows your security response team to tailor its threat mitigation strategies to its efforts more efficiently. Additionally, you can also determine if any of your solutions are taking hold and are effective.

Noncredentialed Scan

Vulnerability scan ran without any user credentials that provides a quick view of vulnerabilities by only looking at network services exposed by the host.

- Server-based vs. agent-based

Vulnerability scanners tend to fall into two classes of architectures: those that require a running process (agent) on every scanned device, and those that do not. A server-based (or agentless) scanner consolidates all data and processes on one or a small number of scanning hosts, which depend on a fair amount of network bandwidth in order to run their scans. It has fewer components, which could make maintenance tasks easier and help with reliability. Additionally, it can detect and scan devices that are connected to the network, but do not have agents running on them (for example, new or rogue hosts). Agent-based scanners have agents that run on each protected host and report their results back to the central scanner. Because only the results are transmitted, the bandwidth required by this architectural approach is considerably less than a server-based solution. Also, because the agents run continuously on each host, mobile devices can still be scanned even when they are not connected to the corporate network.

- Inhibitors to remediation

Vulnerability scanning is often a high priority for CySA's but other technologists in the organization may not see it as an important activity. You should be aware of the barriers raised by others to vulnerability scanning and ways to address those concerns. - MOUs - SLAs - Organizational governance - Business process interruption - Degrading functionality

- Review Related Logs and/or Other Data Sources

When analyzing the report you should always do this. You can compare running services, listening ports, and open connections against a list of authorized services to identify any abnormal behavior. Correlating the vulnerability scan output with historical network and service data serves several functions.

• Ongoing Scanning and Continuous Monitoring

Where feasible, you should schedule automated vulnerability scanning to occur daily. Depending on the types of networks you operate and your security policies, you might opt to perform these more often, always using the most updated version of the scanning tool. You should pay extra attention to critical vulnerabilities and aim to remediate them within 48 hours. Recognizing that maintaining software, libraries, and reports might be tedious for administrators, some companies have begun to offer web-based scanning solutions. Qualys and Tenable, for example, both provide cloud-enabled web application security scanners that can be run from any number of cloud service providers. Promising increased scalability and speed across networks of various sizes, these companies provide several related services based on subscription tier.

- Communication/change control

You can see that a tremendous amount of effort goes into managing the actions after getting the results of a vulnerability scan. Although implementing every recommendation may seem like a good idea on the surface, we cannot go about it all at once. Without a systematic approach to managing all the necessary security changes, we risk putting ourselves in a worse place than when we began. The purpose of establishing formal communication and change management procedures is to ensure that the right changes are made the first time, that services remain available, and that resources are used efficiently throughout the changes.

(CAB) Change Advisory Board

a Board utilized by organizations to approve major changes to a company's policies and to assist CM in the monitoring and assessment of changes.

(ROE) Rules of Engagement

a document that deals with the manner in which the penetration test is to be conducted.

Federal Information Processing Standards (FIPS)

a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.

Vulnerability Scanner Plug-in

a simple program that looks for the presence of one specific flaw. Administrators should configure these to retrieve these updates on a regular basis, preferably daily.

Nessus Attack Scripting Language (NASL)

a very flexible language able to perform virtually any check imaginable.

Nikto Web Scanner

a web server vulnerability scanner. Its main strength is finding vulnerabilities such as SQL and command injection susceptibility, cross-site scripting (XSS), and improper server configuration. Although it lacks a graphical interface as a command-line executed utility, it's able to perform thousands of tests very quickly and provide details on the nature of the weaknesses.

- Workflow

allows for the prioritization of vulnerabilities and the tracking of remediation through the cycle of detection, remediation and testing.

Issue Specific Security Policy

also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues.

- Regulatory environments

an environment in which an organization exists or operates that is controlled to a significant degree by laws, rules, or regulations put in place by government (federal, state, or local), industry groups, or other organizations. In a nutshell, it is what happens when you have to play by someone else's rules, or else risk serious consequences. A common feature of this is that they have enforcement groups and procedures to deal with noncompliance. Examples include, HIPPA, ISO/IEC 27001, PCI DSS and GLBA.

Security policy

can be organizational, issue specific, or system specific.

- Scope (Scope of a Vulnerability Scan)

describes the extent of the scan and answers these questions: What systems and networks will be included in the vulnerability scan? What technical measures will be used to test whether systems are present on the network? What tests will be performed against systems discovered by a vulnerability scan?

Federal Information Security Management Act of 2002 (FISMA)

is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. It requires that government agencies and other organizations OS's on behalf of government agencies comply with a series of security standards.

OpenVAS

is a free framework that consists of several analysis tools for both vulnerability identification and management. It is a fork of the original Nessus project that began shortly after Tenable closed development of the Nessus framework. It is similar to Nessus in that it supports browser-based access to its Manager, which uses the Scanner to conduct assessments based on a collection of over 47,000 Network Vulnerability Tests (NVTs).

- SCAP (The Security Content Automation Protocol)

is an effort by the security community, led by the National Institute of Standards and Technology (NIST), to create a standardized approach for communicating security-related information. This standardization is important to the automation of interactions between security components.

- Corporate policy

is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization.

Critical (Critical Asset)

is anything that is absolutely essential to performing the primary functions of your organization. This set would include your web platforms, data servers, and financial systems. They also require a higher degree of attention when it comes to vulnerability scanning; the thoroughness of each scan and the frequency of each scan.

Authenticated Scan

is vulnerability testing performed as a logged-in Credentialed user. The method is also known as logged-in scanning. It determines how secure a network is from an inside vantage point.

- Technical constraints

limitations on the design of a solution that derive from the technology used in its implementation. See also business constraint. They may limit the frequency of scanning. For example, the scanning system may only be capable of performing a certain number of scans per day, and organizations may need to adjust scan frequency.

-Business Constraints

limitations placed on the solution design by the organization that needs the solution. They may limit the organization from conducting resource-intensive vulnerability scans during periods of high business activity to avoid disruption of critical processes.

Organizational Security Policy

management establishes how a security program will be set up, lays out the program's goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out.

Licensing Limitations

may curtail the bandwidth consumed by the scanner or the number of scans that may be conducted simultaneously.

Server based Scanner

or agentless systems are based on push technology and a centralized design. It consolidates all data and processes on one or a small number of scanning hosts, which depend on a fair amount of network bandwidth in order to run their scans.

- Regulatory requirements

such as PCI DSS or FISMA, may dictate the frequency of vulnerability scans. These requirements may also come from corporate policies.

• Network infrastructure

the actual hardware, software, and networking components that support the processing and transfer of information. The most commonly vulnerable component are the WAPs. Particularly in environments where employees can bring (and connect) their own devices, it is challenging to strike the right balance between security and functionality. The Wired Equivalent Privacy (WEP) protocol has been known to be insecure since at least 2004 and has no place in our networks. For best results, use the Wi-Fi Protected Access 2 (WPA2) protocol.

- Risk appetite

the amount of risk that its senior executives are willing to assume and tolerate within the environment.

- Types of data

the information that should or must be included in the report, particularly when dealing with regulatory compliance scans. This information will drive the data that your scan must collect, which in turn affects the tool configuration.

Noncritical (Noncritical asset)

though valuable, is not required for the accomplishment of your main mission as an organization. They should still be included in your vulnerability management plan but given limited resources and placed at a lower priority.

Capacity

used to denote computational resources expressed in cycles of CPU time, bytes of primary and secondary memory, and bits per second (bps) of network connectivity.

(OSVDB) Open Source Vulnerability Database

was an independent and open-sourced database. The goal of the project was to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promoted greater and more open collaboration between companies and individual

Common Vulnerabilities

•Missing patches/updates A system could be missing patches or updates for numerous reasons. If the reason is legitimate (for example, an industrial control system that cannot be taken offline), then this vulnerability should be noted, tracked, and mitigated using an alternate control. •Misconfigured firewall rules Whether or not a device has its own firewall, the ability to reach it across the network, which should be restricted by firewalls or other means of segmentation, is oftentimes lacking. •Weak passwords Our personal favorite was an edge firewall that was deployed for an exercise by a highly skilled team of security operators. The team, however, failed to follow its own checklist and was so focused on hardening other devices that it forgot to change the default password on the edge firewall. Even when default passwords are changed, it is not uncommon for users to choose weak ones if they are allowed to.