Vulnerability assessments are an invaluable way of identifying vulnerabilities in your networks or applications.
Penetration testers use them to review target systems and identify potential attack vectors, weaknesses and entry points, while administrators use them to identify previously unknown or unidentified vulnerabilities that may affect their security infrastructure.
Each vulnerability assessment should result in a list of potential vulnerabilities that indicates the relative risk level for each. That way, the tested organisation can set its priorities for addressing the risks it faces.
Networks can be attacked at any level – from a physical to a hardware level, from communications ports to the whole operating system. In addition, applications can be attacked directly through networks. Application vulnerabilities can overcome all other network defences.
It is estimated that 48-70% of all successful attacks only succeeded because of an internal factor, such as misconfiguration, social engineering or employee malfeasance. A good penetration tester will test for such vulnerabilities and ensure that the organisation is protected from both internal and external threats.
Three levels of evaluation
Testing the effectiveness of security controls often consists of three levels of evaluation:
- Ensure that the control was implemented as designed. There can often be a mismatch between design and implementation, which in turn may lead to an undocumented gap in the security fabric.
- Make sure that the control is working correctly – in other words, that it is performing the function it was designed to perform. For instance, a firewall needs to be tested to ensure that it is, in fact, blocking unwanted traffic while allowing authorised traffic.
- Determine how effective the control is at minimising risk. No organisation should implement controls that are not needed, nor should they ignore or implement insufficient controls for serious risks. However, a control that was implemented correctly (according to the design) and is operating correctly may still be ineffective if it is not mitigating the risk as intended by the designer.
Conducting a vulnerability assessment is not just a matter of filling in a checklist or running a tool – it is a voyage of discovery and investigation, and the skill of the penetration tester is paramount.
In many cases, the organisation does not know its vulnerabilities and security requirements. It is the knowledge and expertise of the penetration tester that will reveal them.
References and sources of vulnerabilities
Many sources list known vulnerabilities in equipment, protocols, systems, software and configurations. The penetration tester should be familiar with these sources and examine target systems to ensure that known vulnerabilities are not present. In most cases, known problems will exist on the network, so resolving them is the first step in enhancing the overall security of the system. After all, if the presence of a vulnerability is well known to the security community, then it must be assumed that attackers know to look for those weaknesses too.
Some of the sources available are:
|National Vulnerability Database||http://nvd.nist.gov|
|Common Vulnerabilities and Exposures||http://cve.mitre.org|
Using vulnerability assessment tools
There are many excellent vulnerability assessment tools, including Nessus®, SAINT®, Retina® and Qualys®, each of which is an important part of the penetration tester’s arsenal. Most tools can conduct a wide range of tests in a relatively short time, and provide a very good series of tests against common vulnerability lists and industry-leading resources.
However, tools are only as good as their users – they can never replace the expertise and creativity of a good penetration tester.
Tools can indicate possible vulnerabilities, but these may be false positives (problems that are indicated, but are not really problems). They might also fail to identify important vulnerabilities, i.e. false negatives.
The penetration tester must review and examine the results generated by the tool to determine which issues identified by the tool are serious, which are of medium-level concern, and which may be put aside for future review or ignored altogether.
Testing any network or system should include a review to see if the organisation has been infected with malware, which can be used to open back doors for an attack, capture passwords or other sensitive information, and damage or destroy system services.
Many forms of malware are spread through email attachments, infected websites or by being hidden in other programs. Once in a system, malware may alter registry settings so that it starts automatically whenever the system is started.
Malware is increasingly designed not to damage systems, but to help attackers gather information about targets, or gain access to targets at any time in the future.
Malware was originally distributed via floppy disk, an idea that is yet to disappear: a lot of malware is now spread via USB sticks or other portable storage media.
In recent years, malware has also been spread via malicious email attachments. An unsuspecting user who opens an email attachment containing a virus is immediately infected.
Another popular method of distributing malware is by infecting a user who visits a malicious website. Several forms of malware will use more than one method of distribution to improve success rates.
Reporting on a vulnerability assessment
The results of a vulnerability assessment and the ranking of the various vulnerabilities can be presented to the organisation as a valuable review of their current security posture, or can be used in the next step of the penetration test: the actual attempt to exploit the identified vulnerabilities. The report should also include a note of any unpatched systems or other administrative weaknesses.
Learn more about penetration testing
This blog abridges the fifth chapter of our June book of the month, Penetration Testing – Protecting networks and systems by Kevin M. Henry.
This guide to penetration testing provides essential information on “the thoughts, motivations and actions of an attacker against an organisation or individual, so that each of us can better defend our systems, our intellectual property and our values”.