Domain 2 Automated Vulnerability Scanners

Overview of Automated Vulnerability Scanning Tools

  • Common tools: Nessus, Qualys, and others.

  • Purpose: Scan environments for systems and identify vulnerabilities based on known vulnerabilities database.

  • Functionality: Scan exact versions of software against vulnerability databases.

Types of Scans

Credentialed Scan

  • Definition: Scanning tool logs into the system using provided credentials.

  • Advantages:

    • Reduces false positives.

    • Provides a deeper inspection of configuration settings (registry, patches, firewall rules).

    • Can compare current configurations to a predetermined baseline for security.

  • Risks:

    • Granting admin rights can be dangerous if the tool is compromised (attackers gain access).

    • Recommendation: Use limited access accounts with read-only rights.

Uncredentialed Scan

  • Definition: Scanning tool does not log into the system; it simulates external attacker visibility.

  • Advantages:

    • Better simulation of what an actual attacker might see.

  • Disadvantages:

    • Higher incidence of false positives.

Understanding Vulnerability Reports

  • Automated scans result in extensive reports (thousands of vulnerabilities).

  • Need to interpret results effectively.

Common Vulnerability and Exposure (CVE)

  • Definition: An open-source dictionary to standardize referred vulnerabilities across security vendors.

  • History: Prior to CVE, different vendors assigned unique names for the same vulnerabilities (e.g., "Heartbleed", "SQL Slammer").

  • Function:

    • Organizations can check the CVE database for existing vulnerabilities before assigning a new CVE number.

    • When a new vulnerability is found, researchers can link it to existing CVE records if applicable.

  • Benefit: Regardless of the security tool vendor, vulnerabilities will be reported using the same CVE number, aiding in identification and management.

Common Vulnerability Scoring System (CVSS)

  • Definition: A scoring system used to prioritize vulnerabilities (scale 0-10).

  • Purpose: Assists organizations in determining which vulnerabilities to remediate first among many.

    • Score Ranges:

      • 0: Informational, no urgency.

      • 10: Critical urgency ("the end is nigh").

  • Use in Reports:

    • Sort vulnerabilities by CVSS score; higher scores indicate higher urgency for remediation.

  • Caveats:

    • CVSS has faced criticism regarding scoring criteria.

    • Does not factor in the specific value of a system in a particular organization’s context.

  • Prioritization Strategy:

    • Consider multiplying CVSS score with importance value of the affected system.

Definitions of Key Terms

False Positive

  • Definition: When the tool indicates a vulnerability is present, but after examination, no vulnerability exists.

  • Impact: Can lead to wasted resources investigating non-issues.

False Negative

  • Definition: The tool indicates no issues found, but actual vulnerabilities exist.

  • Impact: Significantly more dangerous than false positives; they can lead to undetected vulnerabilities in the environment.

Importance of Updates

  • Regular updates of vulnerability scanning tools are crucial to ensure they can identify latest vulnerabilities effectively.

  • Continuous updating addresses the risk of false negatives, ensuring systems remain secure.