Process
- Passively test security controls – Does not exploit a vulnerability.
- Identify vulnerability / System Flaw / Un-patched Code
- Identify lack of security controls
- Identify common mis-configurations by reviewing policies, rule set and system settings.
Types
Intrusive vs. non-intrusive: See passive vs. active reconnaissance
Intrusive: Directly engaging on the target system to identify weaknesses that could be used to launch an attack
Non-intrusive: gain vulnerability information about targeted computers and networks without actively engaging with the systems- (example: Qualys SSL Labs)
Credentialed vs. non-credentialed: Whether or not authentication credentials (user-ids & passwords) are used in scanning. Credentialed has lesser risks and may provide more information, but isn’t as realistic.
Note : False Positive Occurs when the tool mistakenly identifies an vulnerability where there is no vulnerability.
Definitions
Vulnerability: a flaw in a system that can leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat.
Vulnerability Scanning: An inspection of the potential points of exploit on a computer or network to identify security holes. A vulnerability scan detects and classifies system weaknesses in computers, networks, applications and communications equipment and predicts the effectiveness of countermeasures.
Goal Of VA
- System, network, or application weaknesses
- Unpatched or not-updated systems or applications
- Common misconfigurations
- A lack of security controls
Vulnerability Types
- Race conditions
- Vulnerabilities due to:
- End-of-life systems
- Embedded systems
- Lack of vendor support
- Improper input handling
- Improper error handling
- Misconfiguration/weak configuration
- Default configuration
- Resource exhaustion
- Vulnerable business processes
- Weak cipher suites and implementations
- Memory/buffer vulnerability
- Memory leak
- Integer overflow
- Buffer overflow
- Pointer dereference
- DLL injection
- System sprawl/undocumented assets
- Architecture/design weaknesses
- New threats/zero day
- Improper certificate and key management
- Untrained users
- Improperly configured accounts
Race condition (race hazard): The behavior of an electronics, software, or other system where the output is dependent on the sequence or timing of other uncontrollable events. When events do not happen in the order the programmer intended.
Improper input handling: When a system does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.
Improper error handling: When a system generates an error message that includes sensitive information about its environment, users, or associated data.
Misconfiguration/weak configuration: Using insecure configuration or control settings. Examples: Browsers, System Policies (Window GPOs), Wi-Fi
Default configuration: Often systems, devices or software is distributed with insecure default settings.
Weak cipher suites: Use of older or less robust cryptographic algorithms for encrypting data. Examples: DES, WEP
Improper certificate and key management: Allowing unauthorized access to encryption keys or certificates. Allows sensitive data to be decrypted. Also allowing digital certificates to expire.
Improperly configured accounts: accounts have greater privileges than is needed to perform a function. Solved by Least Privilege.
Resource exhaustion: A simple denial of service condition that happens when the resources required to execute an action are entirely expended, preventing that action from occurring.
Vulnerable business processes (aka Business Process Compromise): silently altering parts of specific business processes, or machines facilitating these processes, in order to gain access to systems or generate monetary
System sprawl I undocumented assets: Allowing unchecked systems or devices on an internal network. Lack of an internal inventory system.
Architecture/design weaknesses: An insecurely designed network or system architecture. Example: not segmenting systems on an internal network.