Security in Obscurity

Best Practices For Conducting A Vulnerability Assessment

In a previous thought I covered the differences between a vulnerability assessment and a penetration test, February 2019

Both are a very common vulnerability management technique used to better secure an environment. Diving further I want to cover some of the best practices for conducting a vulnerability assessment and considerations you should taken when determining whether to perform your assessments in house or outsource them.

Steps that should take place in a Vulnerability Assessment

There are three main steps that should always take place during a vulnerability assessment. These steps cover the discovery, enumeration and detection phases of the vulnerability assessment. Following all three of these steps will ensure you are providing a solid foundation for your vulnerability management program.

Information Gathering/Discovery

The purpose of information gathering and discovery is to determine the total number of systems and applications contained in your environment, that will be assessed. Identifying key system traits such as available port information, host names, IP addresses and ownership of targeted systems are the results of the step. The process of information gathering contains nonintrusive and semi-intrusive phases.

The nonintrusive phase should not have any effects or performance impact on the systems being scanned. Consider this to a "passive" scan. Results of this information gathering typically consists of looking up domain names and IP addresses. The semi-intrusive phase does communicate directly with the target to gain further information regarding the system. Typically the communication consists of port scans as well as ping sweeps. These methods are used to determine what applications are being utilized on a targeted system [1].

Enumeration

Enumeration is the step in which the target operating system is identified. This process will leverage OS fingerprinting to accomplish this [1]. OS fingerprinting typically utilized tools such as Nmap to send packets to a system and analyze the return packets to determine the OS type [2]. In addition to identifying the operating system, the enumeration process also determines what applications reside on the target system.

Detection

The final step of the vulnerability assessment is detection. The detection method is performed to determine whether an application or an overall system is potentially exploitable to a vulnerability. Unlike a penetration test however, the detection method does not actual validate whether the system can be compromised. Instead a vulnerability assessment will simply report on what vulnerabilities are present in the application or system [1]. This report should then be used during your remediation phase of your vulnerability management program to ideally patch systems.

If patching is not possible, the report can be used to apply additional controls, either technical or administrative in place to reduce the risk of the vulnerability identified in the report. In some scenarios no physical actions will be taken off of the report but rather the risk of not responding to the vulnerability will be accepted by the business or organization. Additionally, the vulnerability assessment report may be used during a penetration testing exercise to validate the concerns of a specific vulnerability or system.

Considerations for conducting an internal vulnerability assessment

To effectively perform an internal vulnerability assessment you will more than likely need to ensure you have in-house resources such as hardware and software to perform a vulnerability assessment. There are a number of propriety tools that are commonly used such as Nexpose by Rapid7 and Nessus by Tenable. Additionally there are open source options you can consider such as OpenVAS. Leveraging any of these tools you will need to ensure network and firewall configurations are properly configured to allow the scanning tools to work and in my experience a fair amount of initial tweaking will be involved in making the vulnerability assessment scanning and reporting effective and actionable. False positives and unactionable data can create a huge time sink.

You should also expect a number of components of a vulnerability assessment will require upkeep. Scanning will more than likely not be a set it and forget it type of exercise. Upkeep will range from updating any software required for the scans to run, as well as, monitoring for updates on new vulnerabilities to automatically be included for future scans [3].

Considerations for outsourcing a vulnerability assessment

The benefits in outsourcing a vulnerability assessment to a third party are primarily the reduction in infrastructure costs and labor associated with in-house run assessments. Additionally when outsourcing vulnerability assessment activities to a third-party, you will be able to take advantage of their depth of experience and skill set in performing assessment activities. With in-house assessment activities, there is always a potential risk that staff may not perform an effective scan or misconfigure the scanning parameters on the vulnerability assessment tools due to inexperience. By leveraging a professional third-party you gain access to their skill set and reduce the likelihood of ineffective scans or misconfigurations. If you gravitate to the outsourced route, here are a few areas to consider to ensure you get the most out of your engagement.

Legal considerations

Upon selecting a third party vendor to perform a vulnerability assessment the first step in initiating the process is to address legal considerations and a contract with the company for the services provided. Ensure that you provide written approval to the third party to perform a vulnerability assessment on your network. Written approval will ensure that the vendor is not committing a criminal offense by scanning your network [4]. If you are running workloads in the cloud this can further complicate the engagement and you should also work with your cloud vendor to ensure proper approvals are received in addition to your internal written approval. Additionally, consider looking for an outsourced company that has indemnity insurance. The purpose of the insurance is to cover the third party in case anything unexpected happens during the assessment. This will ensure that the third party will be held responsible financially for any damage inflicted upon your systems or data as a result of the assessment [4].

A nondisclosure agreement should also be signed by the vulnerability assessment vendor to ensure that any disclosure of results of the assessment findings to unapproved entities are prohibited. In particular this should include any sensitive, restricted or proprietary information you may have [5]. Additionally, your legal department should address any privacy violations that could result from the assessment accessing your employees systems.

Scheduling an engagement

Like most outsourced or vendor engagements, the vulnerability assessment vendor will need to know the rules of engagement. In the case of an assessment, this should include specific times in which the vulnerability assessment can be run. This can include times of day as well as days of the week. More than likely the engagement schedule will need to be coordinated to ensure that systems are powered up and discoverable on the network. Peak times should be avoided for the scans to minimize end user impact, as well as, planned maintenance windows related to code releases.

The third party will need to know a number of pieces of information in order to effectively implement the vulnerability scans. Subnets housing systems to be included in the assessment should be provided. Additional information such as credentials for the vendor to utilize to run more intrusive scans so that items such as patch levels can be better identified will more than likely be needed [1].

Most importantly, ensure that the vendor provides adequate reporting on the vulnerabilities identified during the assessment. In effect, this report is what you are paying for in your engagement. The reporting will be very important in performing in-house remediation of the vulnerabilities identified by the vendor. You should make sure that you fully understand the findings provided by the vendor. If anything is unclear it should be clarified by the vendor when all parties involved review the report [4].

---

In summary, properly performed vulnerability assessments will help establish a solid core of a vulnerability management program. To be completed properly, the exercise should include different steps for discovery, enumeration and detection. The tasks related to vulnerability assessments can be done in-house or contracted out to a third-party and choice will more than likely depend upon the internal resources and expertise you have at your disposal.

Note: Parts of this thought were previously used in content I submitted while in Grad School during my Vulnerability Assessment course.

---

Resources Consulted

[1] Snedaker, Susan & , et al.. (2007). The best damn it security management book period. Buy on Amazon

[2] What You Must Know About OS Fingerprinting. (2014, June 19). Article Link

[3] Korzeniowski, Paul. (2004, May 10). Pros and cons of outsourcing vulnerability assessments. Article Link

[4] Schifreen, Robert. (2006). Defeating the Hacker: A Non-Technical Guide to Computer Security. West Sussex, England: Wiley. Buy on Amazon

[5] Scarfone, Karen., Souppaya, Murugiah., Cody, Amanda and Orebaugh, Angela. (2008, September). Technical Guide to Information Security Testing and Assessment. NIST Special Publication 800-115. Publication Link