Vulnerability assessment is the systematic evaluation of an organization's exposure to threats. It involves identifying assets, evaluating threats against those assets, determining vulnerabilities, assessing risks, and selecting appropriate controls. Various techniques can be used including asset identification, threat modeling, vulnerability scanning, penetration testing, and risk assessment. The goal is to establish a security baseline and mitigate risks through hardening systems and ongoing monitoring.
2. What Is Vulnerability Assessment?
First step any security protection plan begins with assessment of
vulnerabilities
Vulnerability assessment - Systematic and methodical evaluation of
exposure of assets to attackers, forces of nature, and any other entity that
could cause potential harm
Variety of techniques and tools can be used in evaluating the levels of
vulnerability
3. Elements of Vulnerability Assessment
Asset Identification - Process of inventorying items with economic value
Identify what needs to be protected
After an inventory of the assets has been its important to determine each item’s relative value.
Threat Evaluation - List potential threats from threat agent
What pressures are against those assets
Threat agents are not limited to attackers
After an inventory of the assets has been its important to determine each item’s relative value.
Threat Modeling - Goal of understanding attackers and their methods
Vulnerability Appraisal - Determine current weaknesses as snapshot of current organization security
How susceptible current protection is
Every asset should be viewed in light of each threat
Risk Assessment - Determine damage resulting from attack and assess likelihood that vulnerability is risk to organization
What damages could result from the threats
Not all vulnerabilities pose the same risk
6. Assessment Techniques
Baseline Reporting - Comparison of present state of system to its baseline
Baseline - Imaginary line by which an element is measured or compared; can be seen as standard
IT baseline is checklist against which systems can be evaluated and audited for security posture
Outlines major security considerations for system and becomes the starting point for solid security
Deviations include not only technical issues but also management and operational issues
Programming Vulnerabilities- List potential threats from threat agent
Important for software vulnerabilities be minimized while software being developed instead of after released
Software improvement to minimize
vulnerabilities difficult:
Size and complexity
Lack of formal specifications
Ever-changing attacks
7. Assessment Tools
Port scanners - Software can be used to search system for port vulnerabilities
Banner grabbing tools – Software used to intentionally gather message that service
transmits when another program connects to it.
Protocol analyzers - Hardware or software that captures packets to decode and analyze
contents
Vulnerability scanners - Automated software searches a system for known security
weaknesses
Honeypots and honeynets - Goal is to trick attackers into revealing their techniques
Tools can likewise used by attackers to uncover vulnerabilities to be exploited
10. Vulnerability Scanning vs.
Penetration Testing
Vulnerability Scanning
Intrusive vulnerability scan -
Attempts to actually penetrate
system in order to perform simulated
attack
Non-intrusive vulnerability scan -
Uses only available information to
hypothesize status of the
vulnerability
Credentialed vulnerability scan –
Scanners that permit username and
password of active account to be
stored and used
Non-credentialed vulnerability
scans - Scanners that do not use
credentials
Penetration Testing
Penetration testing - Designed to
exploit system weaknesses
Relies on tester’s skill, knowledge,
cunning
Usually conducted by independent
contractor
Tests usually conducted outside the
security perimeter and may even
disrupt network operations
End result is penetration test
report
12. Third-Party Integration
Increasing number of organizations use third-party vendors to create partnerships
Third-party integration - Risk of combining systems and data with outside
entities, continues to grow
Question: How will entities combine their services without compromising their
existing security defenses?
Question: What happens if privacy policy of one of the partners is less restrictive
than that of the other partner?
Data considerations - Who owns data generated through the partnership and how
data protected?
Inoperability agreements
Service Level Agreement (SLA) - Service contract between a vendor and a client
Blanket Purchase Agreement (BPA) - Prearranged purchase or sale agreement between
a government agency and a business
Memorandum of Understanding (MOU) - Describes agreement between two or more
parties
Interconnection Security Agreement (ISA) - Agreement intended to minimize security
risks for data transmitted across a network
13. Mitigating and Deterring Attacks
Create a security posture
Initial baseline configuration:
Continuous security monitoring
Remediation
Select appropriate controls
Configuring Controls
Key to mitigating and deterring attacks is proper configuration and testing of the
controls
Hardening - Eliminate as many security risks as possible
Reporting - Providing information regarding events that occur
14. Checkpoint
Vulnerability assessment
Methodical evaluation of exposure of assets to risk
Five steps in an assessment
Risk describes likelihood that threat agent will exploit a vulnerability
Several techniques can be used in a vulnerability assessment
Port scanners, protocol analyzers, honeypots are used as assessment tools
Vulnerability scan searches system for known security weakness and reports findings
Penetration testing designed to exploit any discovered system weaknesses
Tester may have various levels of system knowledge
Standard techniques used to mitigate and deter attacks
Healthy security posture
Proper configuration of controls
Hardening and reporting