CompTIA Security+ Training Kit: Vulnerability Assessment and Management
The CompTIA Security+ exam covers common techniques used to identify risks and vulnerabilities. Organizations frequently assess their risks and vulnerabilities by using both formal and informal techniques, as well as technical tools.
In this chapter, we will explore how you can find exposed services and vulnerabilities on systems and devices by using port and vulnerability scanning tools. We will discuss vulnerability assessment methods, as well as ways to identify vulnerabilities by using both technical and nontechnical means. Finally, we will explore the art of penetration testing, including common techniques, types of penetration tests, and best practices for performing them.
Exam objectives in this chapter:
Objective 3.7: Implement assessment tools and techniques to discover security threats and vulnerabilities
Vulnerability scanning and interpret results
Threat vs. likelihood
Determine attack surface
Objective 3.8: Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning
Verify a threat exist
Bypass security controls
Actively test security controls
Passively testing security controls
Identify lack of security controls
Identify common misconfiguration
Vulnerabilities and vulnerability assessment
Vulnerabilities are weaknesses in systems, networks, applications, and other elements of an organization’s security environment. Vulnerabilities can include a range of issues such as:
- Operating system issues that allow privilege escalation.
- Services that allow denial of service attacks.
- Poor coding that allows a web application to be susceptible to a SQL injection attack.
- Process issues that allow an intruder to enter a building without proper identification.
A typical server has the potential to have vulnerabilities in its operating system; in the third-party application software that it runs, including backup, remote administration, and other software; in its hardware components or the firmware that makes them work; or in the management and administration practices used by the support staff who work with it. Further vulnerabilities might exist in the network switches and routers the server uses to communicate to the outside world, as well as the power and cooling systems it relies on to function. With this broad range of potential vulnerabilities, it can be almost impossible to be sure that all known vulnerabilities are being appropriately handled via updates, workarounds, or other fixes at any point in time.
Attackers know that a software vulnerability is often the best way into a system, and they specifically target vulnerable applications and operating systems by using malware and other attack tools. Due to this, entire exploit testing packages such as the Metasploit Project have been created to provide an easy way for testers to use a variety of attacks against known vulnerabilities, providing both security staff members and attackers with a powerful tool. In other words, organizations focus on assessing vulnerabilities as part of their security program, and that is why vulnerability assessment is an important part of the CompTIA Security+ body of knowledge.
Organizations conduct vulnerability assessments by using many different methods and tools in an attempt to track and avoid the risks that they face. In this chapter, we will examine vulnerability assessment concepts and methodologies, including those used for system vulnerability and threat assessments. Using the risk assessment concepts explored earlier in this book, we will look at technical means to identify vulnerable systems and services. Finally, we will delve into penetration testing, the art of breaking into systems and networks to test their security.
Risk-based vulnerability assessments
The first element of a vulnerability assessment program is a risk assessment. Of course, first you need to understand what a risk is. In this context, you can take the definition of risk from Chapter 1, “Risk management and incident response,” as “the intersection of a threat and a vulnerability,” and look at a risk as the potential that a threat will exploit vulnerabilities of a system, network, or other asset, resulting in harm. Here, threats are dangers that could result in an incident or breach.
A wide variety of threats have to be taken into account when you are performing risk assessments. In a full assessment, physical threats such as fires, floods, and tornados would be assessed at the same time as information security threats such as information exposure, system compromise, and outages. For the CompTIA Security+ exam, we will focus on threats that affect the confidentiality, availability, or integrity of systems, networks, and other assets.
Threats are defined in several ways by various organizations, but in general, a threat can be defined as a possible danger that might exploit a vulnerability, resulting in harm to the organization. Threats are aimed at weaknesses, which are protected by controls, as shown in Figure 7-1.
Figure 7-1 Threat agents attack vulnerabilities via attack vectors such as an exposed service, resulting in business or technical impact to the organization.
Threats require an actor, a vulnerability or weakness, and a motivation. This can be as simple as a tornado taking down power lines, or as complex as a group of criminals targeting vulnerable web applications in the banking industry to steal money from ATMs.
The threats an organization faces aren’t always the result of attack, and most organizations assess threats that include physical threats such as fires, storms, and floods, as well as power outages, in addition to technical threats and human factors. Threat assessments build a list of the threats to an organization, allowing the organization to think coherently about what the threats it faces are.
Note that a threat may be included in a risk assessment, and in fact a threat assessment is often used as part of a risk assessment.
Vulnerability assessments specifically look at flaws and weaknesses in security systems, processes, controls, and designs. Thus, vulnerability assessments are targeted at the actual implementation of security, rather than considering who or what might attack, or what the impact of the threat being realized is. Vulnerability assessments tend to follow risk and threat assessments, because they provide information about what the threats that an organization faces could result in. Performing a vulnerability assessment without performing some form of risk assessment is likely to lead to wasted effort, because low-risk areas can absorb significant amounts of time during their vulnerability assessment.
There are a variety of ways to assess vulnerabilities, ranging from code reviews that consider the source code of applications to architecture and design reviews that validate the structure of systems and applications. The CompTIA Security+ exam covers a number of common vulnerability assessment techniques. Among them are:
Code reviews, which use manual or automated review of source code for programs and applications to find vulnerabilities. Code review can expose flaws that cannot be found by a vulnerability scanner, including issues with internal logic. Many organizations perform code review before releasing application code into production, but code reviews are also performed as part of vulnerability assessments, penetration tests, and after attacks as part of a remediation process.
Determining the attack surface of organizations and systems. The attack surface is the collection of services, applications, and other elements of a system or organization that are exposed to potential threats. Many organizations carefully design their network to minimize their attack surface, and vulnerability assessments will verify that the actual exposed elements match the design.
Architecture and design reviews, which focus on the architecture of applications and services. These terms are often used interchangeably because the architecture of the application or service is typically part of its design. Design reviews consider how the service was designed to work internally, including how traffic flows, where data resides, and what servers, workstations, and other network and system elements work together to provide the service or to access it.
Baseline reporting, a technique that relies on the baseline security standards discussed in Chapter 6, “Monitoring, detection, and defense.” Baseline reports check current settings against the baseline, then provide information about what differences, if any, exist. Baseline reporting is very useful for day-to-day monitoring of system configuration because it can easily point out issues with how security standards are applied. In some cases, changes from the baseline may mean that a system was compromised!
Risk calculations: threat vs. likelihood
With these assessment methodologies in hand, you still need a way to decide which threats, risks, and vulnerabilities to pay attention to. Thus, in addition to the risk calculations explored in Chapter 1, you need one additional calculation, which is key to the CompTIA Security+ exam: the calculation of risk as the product of likelihood and impact. The equation is simple:
R = L × I
Here, the likelihood is based on whether the threat appears and if it can exploit the vulnerability it is aimed at. The impact takes into account what harm the organization would experience if the threat succeeded, and should take into account the value of the assets involved.
In many risk calculations, these values are simply rated as high, medium, and low, although there are many variations in ratings and scales. Some organizations rate risks in more complex ways, with scales from 1 through 10 covering multiple impact factors to finances, business operations, and reputation, while others rate everything based on the detailed calculated value of each asset.
We can use the imaginary company, Humongous Insurance, to examine this process in more depth. For Humongous Insurance, a successful denial of service attack against their website is a significant threat because it could result in lost revenue for the company. If we assume that Humongous knows that they face a real threat from a group of attackers who want to disable their site, and assuming that they have some controls in place but think they might not work, Humongous might rate the likelihood of the threat appearing and succeeding as a medium.
If we assume that Humongous Insurance makes $100,000 every 15 minutes through their website sales of insurance products, and that loss of that amount of money for hours or even a day is a significant loss to the company, we can easily calculate the impact of the risk they face. Here we will call the impact to the organization high, because they might lose customers and revenue, and suffer reputational damage.
The calculation would then be:
Risk = Medium Likelihood × High Impact
Most organizations that use this calculation use a chart similar to the chart shown in Figure 7-2, where each level of impact has been given a number from 1 through 3, with low levels listed as 1, medium as 2, and high as 3, with the values multiplied by the likelihood to give a final score. Note that a risk with a high impact and a medium likelihood would be considered a high risk (6) and would receive prompt attention.
Figure 7-2 A Risk chart shows the intersection of likelihood with impact.
Example: Humongous Insurance
We can also look at Humongous Insurance for a discussion of their assessment process. For this example, Humongous wants to assess the risks, threats, and vulnerabilities to their new web application environment, which allows customers to manage their insurance products online.
First, Humongous performs a risk assessment scoped to the new environment. They will consider what risks the organization would face if the new environment was compromised, if it was offline, or if it had another failure. Their assessment of the risks involved will likely require a threat assessment, which they will base on knowledge of what threats they have seen and what their competitors have dealt with. With that knowledge in hand, Humongous can more effectively choose where to spend their time assessing vulnerabilities.