Vulnerability assessment (VA) is the intersection between penetration testing and audit. It is used to evaluate whether an IT system is exposed to known vulnerabilities, assign severity levels to identified vulnerabilities, and recommend remmediations or mitigation steps where necessary. Vulnerability assessment is an extension of threat modeling.
Vulnerability scanning is the process of identifying services, configurations, and conditions that a threat actor could leverage to achieve their objectives. As cyber defenders key concern when an adversary targets our organization should be, what assets are they after?, and what vulnerability would most likely lead to a successful compromise?
Penetration testing is running a simulated/controlled against an organizational infrastructure to identify and exploit vulnerabilities.
VA ties to CIS V8 controls in various areas such as:
1
2
3
4
1. Inventory of authorized and unauthorized devices
2. Inventory of authorized and unauthorized softwares
4. Secure configuration for hardware and software
7. Continuous vulnerability assessment and remediation
Threat modeling is a representation of an idea, object or a system. It helps prioritize security efforts, avoid intelligence fatigue by focusing efforts, and identifies knowledge gaps to generate intel requirements. The models are not static.
While creating a model, we need to describe the business and functional requirements.
Risk Management
Every organization needs to understand risks and have a risk management program. Risk is the possibility of a loss while risk management is the process of managing risks associated with the use of information technology.
1
2
3
1. Audit helps in risk management by running tests against set standards
2. VA discovers flows before an attacker laverages it
3. Penetration testing actively exploits the vulnerability
Organizations need to have a risk registry with CVSS (more than just a score) ratings in order to plan the next actions and what to expect from adversaries targeting their infrastructure.
Several key security controls can be implemented to help reduce the impact of risks. These includes using secure email (pgp), data encryption and secure passwords on devices e.t.c.
Conducting Vulnerability Assessment and Penetration Testing (VAPT)
Conducting VAPT is guided by various standards as defined below:
1
2
3
1. NIST 800-115 which is a guide to the basic technical aspects of conducting information security assessments
2. OWASP (WSTG) which is a comprehensive guide to testing the security of web application and web services
3. Penetration testing execution standards (PTES) provides a technical guideline that helps define certain procedures to follow during a pentest.
VAPT Methodology
In order to perform a successful VAPT, we need to follow certain steps/methodologies. PTES provides a 7 step process in conducting VAPT as described below:
1
2
3
4
5
6
7
1. Engagement Planning - This is the first and important step as parties involved get to discuss the rules of engagement (ROE), risk acceptance, resourcing, permissions and legal implications, and defined scope.
2. Intelligence and threat modeling - Here, we determine what information is available to threat actors and perform threat modeling which helps us identify threats and prioritize defenses.
3. Discovery - In order to find the vulnerabilities, we need to identify the systems and the services first.
4. Scanning - to identify known or unknown vulnerabilities in the discovered technologies.
5. Validation - by assigning confidence value and validating potential vulnerabilities.
6. Remediation - by mitigating/patching of the issues identified as being priority.
7. Reporting - through performing analysis, writing findings, and reports.