How to effectively scope out your vulnerability assessment & scanning?

A vulnerability assessment evaluates the system's security and ability to meet compliance requirements based on the configuration state of the system by information collected from the system. Assessments help manage a set of target attributes, correlate differences in current state & base configurations, and report results.

A general vulnerability scanning & assessment workflow: 

1. Install software and patches to establish a baseline system.

2. Perform an initial scan of the target system.

3. Analyze the assessment reports based on the baseline.

4. Perform corrective actions based on reported findings.

5. Perform another vulnerability scan and assessment.

6. Document any findings and create reports for relevant stakeholders.

7. Conduct ongoing scanning to ensure continual remediation.

8. Scan > Patch > Scan

How to define the scope of vulnerability assessments:

Automated tools help perform assessments.

Vulnerability Scanner: A hardware or software device configured with a list of known weaknesses & exploits and can scan the presence in a host OS or with a particular application. A web application vulnerability scanner, for example, Nikto to analyze applications for SQL injections, and XSS may analyze source code & database security to detect insecure programming practices. Infrastructure scanners can perform mapping & enumeration in the form of host discovery scans.

Make scans more efficient by adjusting the scope.

1. Schedule scans of different portions of the scope for different times of the day.

2. Configure the scope based on a particular compliance objective

3. Rescan scopes containing critical assets.

Internal vs. External Scanning

An internal scan is conducted on the local network. An external scan is undertaken against your network outside the local network. Internal scans can be performed with permission to get additional details on existing vulnerabilities. External scans provide the attacker's perspective.

Scanner Types

Passive Scan: Enumeration or Vulnerability scan to analyze only intercepted network traffic rather than sending probes to a target. Passive scans have the most negligible impact.

Active Scan: Enumerate or vuln scan that analyzes the responses from probes sent to a target. Active scans can be configured for credentialed, non-credentialed, server, or agent-based scans. Active scan consumes network bandwidth & processor resources.

Credentialed Scan: It enables user accounts to log on to target systems. Most credential scanning is likely to find a vulnerability & misconfiguration. Credentialed scans can usually discover more vulns. 

Non-Credentialed Scan: It sends test packets against the target network without logging onto the system. Non-creds scans probe a target with default passwords & for vulns within apps. Non-Cred scans are used more for external assessments.

Server-Based Scanning: A scan launched from one or more scanning servers against the targets.

Agent-based Scanning: Scan conducted using a software application installed locally on each target. Agents are managed by an admin server & scans are run accordingly to a set schedule.

Agent-based Scanning Advantages: It reduces the impact on the network's chance of service outages. It is better for mobile or remote devices when offline.

Disadvantages: It is limited to a particular OS. It could be compromised by malware.

Hybrid solutions use both agent-based & server based.

Scanning Parameters

Vulnerability scanners must be configured with parameters to scan the network effectively.

• Segmentation: Division of a network into separate zones using Vlan's and subnetting.

• It forces traffic to flow between zones. It is vital to configure firewalls and IDS/IPS properly.

• Configure firewalls to allow agent-based scanners to report centralized management servers.

• IDS/IPS must be configured with an exception to allow for agent-based scanning.

Use a scanning window where a firewall is disabled. Many organizations install scanners in each segment and report to a centralized server. Others install a single scanner and configure the firewall rules to allow access to all its network segments.

Important Scheduling parameters and constraints

Scans should be performed weekly.

• Deployment of new or updated systems.

• Identification of new vulnerabilities.

• Following a security breach.

• Regulatory or oversight requirement.

• Scheduled regularly.

How to keep your Vulnerability up-to-date with the latest CVEs 

Vulnerability feeds are a synchronized list of data and scripts used to check for vulnerabilities, also known as plug-ins or network vulnerability tests (NVT). Many vulnerability scanners require ongoing paid subscriptions to access feeds.

SCAP (Security Content Automation Protocol): A NIST framework that outlines various accepted practices for automating vulnerability scanning by adhering to practices to standard processes, results reporting & scoring, and vulnerability prioritization. SCAP upholds internal and external compliance requirements.

OVAL (Open Vulnerability & Assessment Language): XML Schema for describing system security state and querying vulnerability reports and information.

XCCDF (Extensible Configuration Checklist Description Format): XML Schema for developing and auditing best-practice configuration checklists and rules.

Measure scanning risks and sensitivity

• Pointer, VoIP phones, and embedded systems components can react unpredictably to any scanning.

• Always use service accounts to conduct the credential scan, not local admin privileges.

• Opening ports for scanning increases the network attack surface.

• Configure static IP addresses for scanning servers to minimize your network attack surface.

• Amount and intensity of vulnerabilities to test against a target.

• A scan template defines the settings used for each vulnerability area.

• An assessment engine may disable the Windows plug-in when scanning for Linux hosts.