Vulnerability Scanning and Analysis
Summary
This component has the auditor discover possible flaws the organization's devices, services, application designs, and networks by testing and comparing them against a variety of online and offline resources (vulnerability databases, vendor advisories, and auditor investigation) to identify known vulnerabilities. Basic vulnerability analysis should be occurring along-side the other activities so that evidence can be gathered from the network, however, deeper research into specific discovered exploits can happen after the on-site audit to fully take advantage of the short time the auditor has on site.
Purpose
It is not uncommon for a cash-strapped human rights NGO to outsource most of its IT infrastructure to a cloud provider, such as Google Apps, or to ad-hoc services (Dropbox, Yahoo! mail, Wordpress, etc.). A better-resourced organization may be more likely to host its critical services at a remote data center, but not have someone designated to update and patch systems as vulnerabilities are released, or to view the services from a security -- as opposed to availability -- standpoint.
The Flow Of Information
Guiding Questions
- What level of proof do you need to identify to convey the importance (or importance) of a vulnerability to the organization?
- What would the organization and IT think is an appropriate amount of the IT staffs time that you can request to get the information you need?
Approaches
- Vulnerability Scanning: Run vulnerability scans against websites, externally facing servers, and key intranet servers.
- Explore Vulnerability Databases: Search vulnerability databases for potential risks to systems and software used on servers, user devices, and online services.
- Examine Service Configuration Files: Examine configuration files for vulnerabilities using "hardening", or "common mistake" guides found online.
Outputs
- Lists of OVAL/CVE identifiers for each possibly vulnerable service/system.
- Examples of live exploits for vulnerabilities where possible.
- A short write up of each vulnerability including how it was identified.
The cleaned up output from any tests used to identify the vulnerability.
- Document Vulnerabilities (per vulnerability)
- Write Up
- Summary - A short (two to three sentence) basic overview of the vulnerability.
- Description - An in-depth (one to three paragraph) overview of the vulnerability.
- Approach - Step-by-step explanation of the methodology used that is tool agnostic.
- Proof - The cleaned up output from tests run to identify the vulnerability.
Operational Security
- Treat the data and analyses of this step with the utmost security.
- Use VPNs or Tor to search if scanning remotely.
- Seek explicit permission for vulnerability scanning - NOTE: The organization might not be in a position to give you meaningful “permission” to carry out an active remote assessment of "cloud services" used within the organization.
- In situations where the auditor is doing this work remotely it is important to only run "safe" tests that have no possibility of causing damage to the network.
Preparation
Baseline Skills
Vulnerability Scanning: : General TCP/IP and networking knowledge; knowledge of ports, protocols, services, and vulnerabilities for a variety of operating systems; ability to use automated vulnerability scanning tools and interpret/analyze the results
Penetration Testing: Extensive TCP/IP, networking, and OS knowledge; advanced knowledge of network and system vulnerabilities and exploits; knowledge of techniques to evade security detection
Resources
Standard: "Vulnerability Analysis - Research Phase" (Penetration Testing Execution Standard)
Framework: "Vulnerability Assessment" (http://www.vulnerabilityassessment.co.uk)
*Resource:* Vulnerability Databases (SAFETAG)
Vulnerability Databases
Standard Vulnerability Analysis - Research Phase (Penetration Testing Execution Standard)
Framework Vulnerability Assessment (http://www.vulnerabilityassessment.co.uk)
Database "CVE Details"
Database "Threat Explorer"
Database "The Exploit Database"
Poster Ultimate Pen Test 2013 (SANS Institute)
Website Vulnerability Scanning
Site: "OWASP ZAP Project Site" (OWASP)
Guide: "The OWASP Testing Project Guide" (OWASP)
User Guide: "OWASP Zap User Guide" (Google Code)
Video Tutorials: "OWASP ZAP Tutorial Videos" (Google Code)
Guide: "7 Ways Vulnerability Scanners May Harm Website(s) and What To Do About It" (White Hat Sec Blog)
Article: "14 Best Open Source Web Application Vulnerability Scanners" (InfoSec Institute)
System Vulnerability Scanning
Project Site: "OpenVAS Project Site" (OpenVAS)
Manual: "OpenVAS Compendium" (OpenVAS)
Guide: "How To Use OpenVAS to Audit the Security of Remote Systems on Ubuntu 12.04" (Digital Ocean)
Guide: "Getting Started with OpenVAS" (Backtrack Linux)
Guide: "Setup and Start OpenVAS" (OpenVAS)
Video Guide: "Setting up OpenVAS on Kali Linux" (YouTube)
ListServ: "OpenVAS Discussion ListServ" (OpenVAS)
Comparison: "Nessus, OpenVAS and Nexpose VS Metasploitable" (HackerTarget)
Activities
undefined
