Chapter 07: Analyzing Vulnerability Scans Flashcards
CVSS
Common Vulnerability Scoring System
Industry standard for assessing the severity of security vulnerabilities
It provdes a technique for scoring each vulnerability on a variety of measures, and analysts use CVSS to prioritize response actions
There are eight measures, with the first four evaluating the exploitability of the vulnerability:
* Attack Vector
* Attack Complexity
* Privileges Required
* User Interaction
The next three evaluate the impact of the vulnerability:
* Confidentiality
* Integrity
* Availability
The last discuses the scope of the vulnerability:
* Scope
AV Metric
Attack Vector Metric
Describes how an attacker would exploit the vulnerability based on the following:
* Physical (P): The attacker must physically touch the vulnerable device—0.20
* Local (L): The attacker must have phyiscal or logical access to the affected system—0.55
* Adjacent Network (A): The attacker must have access to the local network that the affected system is connected to—0.62
* Network (N): The attacker can exploit the vulnerability remotely over a network—0.85
AC Metric
Attack Complexity Metric
Describes the difficulty of exploiting the vulnerabilty based on the following:
* High (H): Exploiting the vulnerability requires specialized conditions that would be difficult to find—0.44
* Low (L): Exploiting the vulnerability doesn’t require any specialized conditions—0.77
PR Metric
Privileges Required Metric
Describes the type of account access that an attacker would need to exploit the vulnerability based on:
* High (H): Attackers require administrative privileges to conduct the attack—0.27 (0.50 if Scope is changed)
* Low (L): Attackers require basic user privileges to conduct the attack—0.62 (0.68 if Scope is changed)
* None (N): Attackers don’t need to authenticate to exploit the vulnerability—0.85
UI Metric
User Interaction Metric
Describes whether the attacker needs to involve another human in the attack based on:
* None (N): Successful exploitation doesn’t require action by any user other than the attacker—0.85
* Required (R): Successful exploitation requires action by a user other than the attacker—0.62
C Metric
Confidentiality Metric
Describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability based on:
* None (N): There is no confidentiality impact—0.00
* Low (L): Access to some information is possible, but the attacker doesn’t have control over what’s compromised—0.22
* High (H): All information on the system is compromised—0.56
I Metric
Integrity Metric
Describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability based on:
* None (N): There is no integrity impact—0.00
* Low (L): Modification of some information is possible, but the attacker doesn’t have control over what information is modified—0.22
* High (H): The integrity of the system is totally compromised, and the attacker may change any information at will—0.56
A Metric
Availability Metric
Describes the type of disruption that might occur if an attacker successfully exploits the vulnerability based on:
* None (N): There is no availability impact—0.00
* Low (L): The performance of the system is degraded—0.22
* High (H): The system is completely shut down—0.56
S Metric
Scope Metric
Describes whether the vulnerability can affect system components beyond the scope of the vulnerability
NOTE: The scope metric table doesn’t contain score information. The value of the scope metric is reflected in the values for the PR metric
* Unchanged (U): The exploited vulnerability can only affect resources managed by the same security authority
* Changed (C): The exploited vulnerability can affect resources beyond the scope of the security authority managing the component containing the vulnerability
CVSS Vector
Common Vulnerability Scoring System Vector
A single line format that conveys the ratings of a vulnerability on all eight metrics
Example
CVSS:3.1 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:N / A:N
This vector contains nine components:
1. CVSS:3.1 = Informs the user that the vector was composed using CVSS version 3.1
2. Attack Vector: Network (0.85)
3. Attack Complexity: Low (0.77)
4. Privileges Required: None (0.85)
5. User Interaction: None (0.85
6. Scope: Unchanged
7. Confidentiality: High (0.56)
8. Integirty: None (0.00)
9. Availability: None (0.00)
Calculating CVSS Base Score
Not necessary to do the math manually, but page 254 + 255 has a detailed write up if you ever want to study it more
CVSS Qualitative Severity Rating Scale
- None: 0.0
- Low: 0.1 to 3.9
- Medium: 4.0 to 6.9
- High: 7.0 to 8.9
- Critical: 9.0 to 10.0
True and False Scan Reports
When a scanner reports a vulnerability that doesn’t exist, it’s known as a false positive
When a vulnerability scanner reports a vulnerability, it’s known as a positive report, which can be either:
* Accurate: true positive report
* Inaccurate: false positive report
When a scanner reports that a vulnerability isn’t present, it’s known as a negative report, which can be either:
* Accurate: true negative report
* Inaccurate: false negative report
Always confirm each vulnerability reported by the scanner, which can be as simple as verifying that a patch is missing or an OS is outdated
It could also be complex
* EX: If you have an SQL injection vulnerability, you might need to attack the web app to see if it’s really there
Draw on your own expertise as well as subject matter experts from around your org like database admins, system engineers, network techs, devs, etc
To Validate Results
Reconcile results
* Results should be reconciled as scanners can misinterpret the information they receive from their probes
Correlate results with other sources
* Correlate the scan results with other data sources by reviewing related system and network logs
Compare to best practices
* Compare results to best practices to determine if they’re a high priority or a low risk
Identify exceptions
* Identify exceptions for findings whose risk has been accepted or transferred
Documented Exceptions
Sometimes orgs might not remediate a vulnerability
Take action to record these exceptions because the vulnerability scanners will continue to report them each time a scan runs
If you document them, the scanner can ignore them in future reports and reduce the noise in scan reports, which increases their overall usefulness
NOTE: Always be aware of what compliance requirements you’re beholden to, so you don’t run afoul of violations
Reconciling Scan Results With Other Data Sources
Vulnerability scans should never take place in a vacuum, which means you should always turn to other sources of security information as you perform analysis:
* Logs: Server, app, network devices etc, might contain information about possible attempts to exploit detected vulnerabilities
* SIEM: These correlate logs entries from multiple sources and provide actionable intelligence
* Configuration Management Systems: These provide information on the OS and apps installed on the system
Trend Analysis
The process of detecting patterns within a data set over time, and using those patterns to make predictions about future events or to better understand past events
Managers should watch for overall trends in vulnerabilities, including the:
* Number of new vulnerabilities arising over time
* Age of the existing vulnerabilities
* Time required to remediate vulnerabilities
Context Awareness
Always consider the context of a vulnerability
EX: A vulnerability on a system directly connected to the internet would be much more severe than one found on an internal system, or a system on an isolated network
Similarly, the asset value of the affected systems should also play a role in prioritizing remediation efforts—higher value assets present more risk to the org and should be higher on the remediation priority list
Zero Day Attacks
Sophisticated attackers will often conduct their own security vulnerability research in an attempt to discover vunlerabilities that are unknown to other attackers or cybersecurity teams
After they uncover it, they don’t disclose it but choose to store it in a vulnerability repository for later use
When they exploit, it’s known as a zero day attack
Zero day are dangerous because they’re unknown to product vendors and there aren’t patches to correct them
APT actors who exploit zero day vulnerabilities can often easily compromise their targets
Server and Endpoint Vulnerabilities
The OS running on both servers and endpoints have millions of lines of code, and the combinations of apps they run make each system fairly unique
Thus, many vulnerabilities detected by scans exist on server and endpoint systems, and they’re often the most complex to remediate
Page 261
Missing Patches
Applying security patches to systems should be one of the core practices of any infosec program
This is sometimes neglected due to lack of resources for preventative maintenance
One of the most common alerts from a vulnerability scan is that one or more systems on the network are running an outdated version of an OS or app, and they require security patches
Mobile Device Security
Mobile devices have a host of security issues of their own and must be carefully managed and patched to remain secure
This is often done through MDM solutions that manage configurations fo the devices, automatically install patches, require the use of encryption, and provide remove wiping
MDM can also restrict the apps that run on a mobile device with an approved list
Typically, mobile devices aren’t going to show up on a vulnerability scan because they’re not often sitting on the network when the scan runs
Admins should always pay careful attention to the security of mobile devices, even if they’re not showing up as devices that require attention after a scan
End of Life or Outdated Components
Eventually, software vendors will discontinue support for every product they make
Once they announce the final end of support, ors that continue running the outdated software put themselves at significant risk of attack
The vendor will not investigate or correct security flaws that arise in outdated products
Always stay up to date on product and service lifecycle information to help plan and mitigate upcoming product EOL circumstances
In cases where an org has to keep using an unsupported OS, you should:
* Isolate the system as much as possible, preferably not connected to the network
* Apply as many compensating controls as possible like increased monitoring and strict firewall rules
Buffer Overflows
Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program’s use
The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system
These are very common and persist for many years after they’re initially discovered
Buffer overflows target two different types of memory:
* Stack overflows: Targets the stack, which stores variable values and is managed by the OS
* Heap overflows: Targets the heap, which stores objects created by code and must be managed by app devs
* Integer overflows: A variation of buffer overflow where the result of an arithmetic operation attempts to store an integer that is too large to fit into the specified buffer
Dion’s Notes
Heap Overflow
* A software vulnerability where input is allowed to overwrite memory locations within the area of a process’ memory allocation used to store dynamically-sized variables
* A heap overflow can overwrite those variables and possibly allow arbitrary code execution
Integer Overflow
* Attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow
Overflow Defense
* Choose the right programming language, C and C++ use strcpy and doesn’t perform boundary checking of the buffers—these two languages are very vulnerable to buffer overflows
* Java, Python, and PHP can detect overflow conditions and halt program execution
* Proper input validation and boundary checking on code
* Run programs with least privilege, user accounts vs kernel accounts
* ASLR (Address Space Layout Randomization): Technique that randomizes where components in a running application are placed in memory to protect against buffer overflows
Privilege Escalation
Privilege escalation attacks seek to increase the level of access an attacker has to a target system
They exploit vulnerabilities that allow the transformation of a normal user account into a more privileged one
Rootkits are hacking tools designed to automate privilege escalation attacks—an attacker who gains access to a normal user account can use a rootkit to exploit a vulnerability and perform a privilege escalation attack to get root