A brief explanation on vulnerability and vulnerability management
What is a vulnerability?
A vulnerability is a security flaw or weakness that allows an intruder to reduce a system’s information assurance. In simple terms, a vulnerability is a misconfiguration or weakness in the software or service, which can be exploited by a threat actor to get unauthorized access to the system.
A vulnerability requires three elements:
Intruder’s access to the weakness
Intruder’s ability to exploit the weakness using a tool or technique.
Unnecessary ports open to the internet
Insecure operating system configurations
Outdated or unsupported third-party software which may lead to multiple vulnerabilities, etc.
Note: According to various organizations and vendors, There are multiple definitions of vulnerability and all of them talk about weakness in a software/service/system.
Multiple new vulnerabilities are getting discovered by security researchers every day on various software and operating systems. So one might think about who keeps track of these vulnerabilities and if any standards are being followed to track these vulnerabilities. To answer that we have to discuss CVE - Common vulnerabilities and exposures.
CVE and CVSS
A CVE(Common vulnerabilities and exposures) is an open data registry of publicly known cybersecurity vulnerabilities. Each vulnerability in the CVE list has a CVE ID or we can say various vulnerabilities are being identified using CVE IDs. CVE IDs are assigned by the CVE numbering authority(CNAs). We can find all the CVEs in the NVD - National vulnerability database, which comes under NIST - national institute of standards and technology. CVE program is primarily operated by The MITRE Corporation, which is the primary CNA. Under MITRE there are multiple sub-CNAs. When a security researcher(s) finds a vulnerability in an application/service, then it can be requested for CVE. The below image illustrates how the CVE report process works.
Image Credit: CVE.ORG
Apart from the National Vulnerability Database (NVD) Many public sources of vulnerability definitions exist, such as Microsoft’s security updates and are freely available. Additionally, several vendors offer access to private vulnerability databases via paid subscriptions.
Using this process thousands of CVEs are released every year. However all the vulnerabilities are not the same, they come with various criteria. Let's say we have 2 vulnerabilities on our system and out of which one is complex and another is easy to exploit. In that case, one should always focus on the latter one as there is a bigger chance that a threat actor will try to exploit it. To prioritize the remediation of vulnerabilities a scoring system is being used, which is called CVSS - A common vulnerability scoring system. Various other vendors use their scoring system, however, CVSS is a popularly used vulnerability scoring system.
As per First.org, The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Using various metrics CVSS is being calculated such as attack complexity, impact, privilege required, etc. In fact, there are 3 versions of CVSS and those are v1, v2, v3, and v3.1. Over the year CVSS scoring system has improved and multiple new criteria being added to the scoring system to make it more efficient and reliable.
All the details related to the CVSS scoring system can be found here. Sometimes it is really important and useful to understand the CVSS vector, CVSS metrics, and scores. One can use this calculator to calculate the CVSS score of a vulnerability.
CVSS metrics: There are various metrics, which is used to calculate the CVSS score or we can say which help to prioritize the remediation. CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics.
Image Credit: first.org
CVSS vector: A CVSS vector is a syntactical representation of various metrics using which the score can be calculated. For example
AV - Attack Vector (AV) : N - Network
AC - Attack Complexity (AC) : L - Low
PR - Privileges Required (PR) : H - High
UI - User Interaction (UI) : N - None
S - Scope : U - Unchanged
C - Confidentiality : L - Low
I - Intigrity : L - Low
A - Availability : N - None
CVSS Score: As we saw multiple CVSS metric groups are there, so we must have multiple CVSS scores per group. These scores are calculated using certain formulae. Which can be referred from here.
A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit.
Now we understand what is vulnerabilities, CVE and CVSS. It is there to help security engineers and organizations to prioritize the remediation of vulnerabilities and stay safe over the internet or within the organization. When it comes to an asset, it can be a company-provided smartphone, an end-user computer, a highly sophisticated server, or a database containing public to anything very sensitive to the organization or a network device like a switch or router.
If an attacker finds any vulnerability and can exploit it then it is not so far for the attacker to get network-wide access using other vulnerabilities present over the network.
There can be thousands of assets in a computer and planning to fix or remediate these vulnerabilities sometimes becomes difficult and that's where we need vulnerability management.
What is vulnerability management?
Vulnerability management is the process of identifying, evaluating, treating, and reporting security vulnerabilities in systems and the software that runs on them.
Various vulnerability management software is being used to perform this process. Vulnerability management software uses vulnerability scanners or endpoint agents to find the software vulnerabilities on the servers/devices present in the network. Some famous vendors which provide vulnerability management solutions are Qualys, Tenable, Rapid7, etc.
An organization can have a separate vulnerability management team under the cybersecurity domain or the Security operation centre can take this responsibility. There's a vulnerability management lifecycle that is being followed by the organizations and the cycle includes the below steps.
Image Credit: s21sec
There can be lots of assets in a network. As discussed earlier, it can be anything connected to the network such as Mobiles, CC TV cameras, servers, IoT devices, End-user computers, networking devices like switches, routers, load balancers, etc. It is always not possible for an organization to keep track of all the assets present in the network. CMDB is being used to keep track of assets to some extent, but there is a bigger chance of an asset being missed out from CMDB due to a lack of process or coordination between multiple teams. So a vulnerability management team needs to discover all the assets present in the network, as one vulnerable host in the network can lead to a complete network takeover or a big cyber attack.
The team can collect the data from CMDB, can refer to the architecture documents, or take help from the network team to get the details of the subnets being used in the organization. Then with the help of a Vulnerability scanner, a discovery scan can be run. What is a discovery scan? The discovery scan is being performed on a network to identify hosts that are currently active and connected to the Internet.
When we use a vulnerability management tool like Qualys or Nessus or Nexpose, once we run a discovery scan the active and connected hosts will be added to the assets database with some basic information.
2. Prioritize assets
Once the assets are discovered, those assets need to be prioritized. To make it efficient, running a vulnerability scan on all the hosts and working on remediation may not be helpful as this process is time-consuming. The way vulnerabilities are getting exploited, it is really easy to become a target of a threat attacker. Let's say we have 10 servers in an organization out of which, 5 are hosted for only employees and it is not serving the internet though it is connected to the internet and the other 5 servers are hosting company websites on the internet. It is easy to guess that the latter ones are the target of threat actors and we need to put more priority on those assets.
There can be various mission-critical and business-critical assets in the network. One needs to set the priority as per the organization's requirements. Initially, a set of rules need to be defined to prioritize the assets.
From the above, we can say that assets can be prioritized depending upon 2 characteristics,
The next step in vulnerability management is asses or we can say vulnerability assessment. This includes 2 steps and they are,
Scanning the assets to find the vulnerabilities
Prioritize or set criticality of the vulnerabilities as per the environment and their severity
Scanning the assets
The assets can be scanned using a vulnerability scanner. A vulnerability scanner tries to reach the target asset over various network ports(TCP/UDP), collects system information, and using that concludes which vulnerabilities are existing on the asset.
For example, a server is running Apache Tomcat 7. x < 7.0.104. When the vulnerability scanner will try to access the webserver it will get to know it from headers about the tomcat version. When it will look for its vulnerability database it will find that the asset is vulnerable to CVE-2020-9484.
However the above can be an example of an unauthenticated scan. There are 2 types of scans
Authenticated: The vulnerability scanner will have access to the credentials to log in to the assets. For example, the asset will access a windows OS using port 445 SMB to log in and for a Unix or Linux host, it will access using port 22 SSH. After that, the host will be detailed system information and configuration details such as all patches applied to the system, etc.
Unauthenticated: The scanner will have limited access to the system. As the name suggests, there won't be any authentication. The scanner will try to scan all the ports and using that result it lists out the vulnerabilities.
There's a bigger chance of false positives when it comes to Unauthenticated scans. But in the case of the authenticated scan, there is a lesser chance of false positives.
Agents: To get more clarity and live updates about the vulnerabilities of an asset, an agent is client software installed on the asset. Which will collect the data and will send it to the vulnerability management server. By default, the agent-based scans are authenticated.
Prioritize the vulnerabilities
Once the scanner has scanned the hosts, vulnerabilities need to be prioritized. To help you better decide which vulnerabilities should be fixed first, there are 4 severity levels and the severity is decided using the CVSS score. According to version CVSS 3.0,
|9.0 - 10.0
|7.0 - 8.9
|4.0 - 6.9
|0.1 - 3.9
The various metric groups and CVSS scores discussed earlier are being used in this phase to prioritize the vulnerabilities.
Once the vulnerability management team has all the vulnerability data and they are prioritized depending on the criticality and impact. Those vulnerabilities are reported to various teams.
There can be various types of reporting depending on the requirements. For example. when we want to provide a report to asset owners or support teams to remediate the vulnerabilities, we would like to provide the report with more technical information such as how the vulnerability can be remediated and which file or configuration, or output is responsible for the vulnerability.
But if we want to provide a report to the Leadership or Executives of an organization we may want to provide a much higher level of information like how many vulnerabilities we have, the Top 10 vulnerable assets or Top 10 vulnerabilities affecting our environment, or What is the progress of vulnerability remediation over some time.
In this step, the vulnerabilities are remediated by the asset owners by applying required patches or performing configuration changes on the asset.
It is always expected that the higher-severity vulnerabilities are remediated first. Also one should consider the aged vulnerabilities present in the environment.
Some vulnerability remediation requires an outage of a service or a reboot of the server. But it is not always possible to take a mission or business-critical server down for a long period during a certain period of the year. So for that reason, exceptions should be allowed in some special cases and those vulnerabilities should be remediated as soon as possible.
One should always consider that, an older vulnerability becomes easier for an attacker to exploit because of the availability of proof of concepts, new tools, and exploiting methods. So delaying the remediation of critical vulnerabilities may lead to major problems.
Once the remediation is done the vulnerability management team needs to run the scan and verify if the vulnerability is fixed or not. If not then the required teams need to be communicated and a proper fix should be applied.
Once the verification is done optional reporting can be done to executives of the organization.
With the completion of the last step the vulnerability management team needs to get started with step 1 i.e. Discovery and this continues as a cyclic process due to the discovery of new CVEs every day.