Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Vulnerability Assessment

… aims to identify and categorize risks for security weaknesses related to assets within an environment. It is important to note that there is little to no manual exploitation during a vuln assessment. A vuln assessment also provides remediation steps to fix the issues.

The purpose of a vuln assessment is to understand, identify, and categorize the risk for the more apparent issues present in an environment without actually exploiting them to gain further access. Depending on the scope of the assessment, some customers may ask you to validate as many vulns as possible by performing minimally invasive exploitation to confirm the scanner. As with any assessment, it is essential to clarify the scope and intent of the vuln assessment before starting. Vuln management is vital to help organizations identify the weak points in their assets, understand the risk level, and calculate and prioritize remediation efforts.

It is also important to note that organizations should always test substantial patches before pushing them out into their environment to prevent disruptions.

Methodology

  1. Conduct Risk Identification and Analysis
  2. Develop Vulnerability Scanning Policies
  3. Identify the Type of Scans
  4. Configure the Scans
  5. Perform the Scan
  6. Evaluate and consider possible Risks
  7. Interpret the Scan Results
  8. Create a Remediation & Mitigation Plan

Key Terms

Vulnerability

… is a weakness or bug in an organization’s environment, including apps, networks, and infrastructure, that opens up the possibility of threats from external actors. Vulns can be registered through MITRE’s CVE database and receive a CVSS score to determine severity. This scoring system is frequently used as a standard for companies and governments looking to calculate accurate and consistent severity scores for their system’s vulns. Scoring vulns in this way helps prioritize resources and determine how to respond to a given threat. Scores are calculated using metrics such as the type of attack vector, the attack complexity, privileges required, whether or not the attack requires user interaction, and the impact of successful exploitation on an organization’s confidentiality, integrity, and availability of data. Scores can range from 0 to 10, depending on these metrics.

Threat

… is a process that amplifies the potential of and adverse event, such as a threat actor exploiting a vuln. Some vulns raise more threat concerns over others due to the probability of the vuln being exploited.

Exploit

… is any code or resource that can be used to take advantage of an asset’s weakness. Many exploits are available through open-source platforms such as Exploit-db.

Risk

… is the possibility of assets or data being harmed or destroyed by threat actors.

Asset Management

When an organization of any kind, in any industry, and of any size needs to plan their cybersecurity strategy, they should start by creating an inventory of their data assets. If you want to protect something, you must first know what you are protecting. Once assets have been inventoried, then you can start the process of asset management. This is a key concept in defensive security.

Asset Inventory

Asset inventory is a critical component of vuln management. An organization needs to understand what assets are in its network to provide the proper protection and set up appropriate defenses. The asset inventory should include information technology, operational technology, physical, software, mobile, and development assets. Organizations can utilize asset management tools to keep track of assets. The assets should have data classifications to ensure adequate security and access controls.

Application and System Inventory

An organization should create a thorough and complete inventory of data assets for proper asset management for defensive security. Data assets include:

  • all data stored on-premises
  • all of the data storage that their cloud provider possesses
  • all data stored within various SaaS apps
  • all of the apps a company needs to use to conduct their usual operation and business
  • all of a company’s on-premise computer networking devices

Organizations frequently add or remove computers, data storage, cloud server capacity, or other data assets. Whenever data assets are added or removed, this must be thoroughly noted in the data asset inventory.