00:00:02
if you're working in it security
00:00:03
you are undoubtedly going to be
00:00:05
performing some vulnerability scans
00:00:08
these scans are designed to look at
00:00:09
systems to see if potential
00:00:11
vulnerabilities might exist
00:00:13
in an operating system a network device
00:00:15
or an application
00:00:16
these are a little bit different than a
00:00:18
penetration test which is really trying
00:00:20
to gain
00:00:21
access into the inner workings of your
00:00:23
devices instead the vulnerability scan
00:00:25
is trying to determine from the outside
00:00:27
if there is the potential to gain access
00:00:30
to those systems
00:00:31
one common type of a vulnerability scan
00:00:33
is a port scan that's when we will look
00:00:35
at a device
00:00:36
and determine what ports happen to be
00:00:38
responding on that particular ip address
00:00:41
from here you may be able to gather
00:00:43
information about things that might be
00:00:44
less than secure for example on this
00:00:46
device port 23
00:00:48
running over tcp which would be the
00:00:50
telnet service
00:00:51
is an open port on this device and
00:00:54
without knowing anything else about this
00:00:56
system
00:00:56
we know that telnet inherently sends
00:00:59
information
00:00:59
that is not secure it is not encrypted
00:01:02
so this would be something to bring up
00:01:04
as a potential vulnerability on this
00:01:06
computer
00:01:07
it's common to run vulnerability scans
00:01:09
on all of the devices connected to the
00:01:11
network this would be servers
00:01:12
workstations laptops
00:01:14
and other devices that are connected to
00:01:16
the network as well
00:01:17
you want to be able to perform these
00:01:19
vulnerability scans from the perspective
00:01:21
of the attacker
00:01:22
so you want to perform these from the
00:01:24
outside on the internet
00:01:26
side coming inbound to your devices but
00:01:28
you might also want to run these scans
00:01:30
internally as if you were an insider who
00:01:32
had full access to these systems
00:01:35
we'll want to gather as much information
00:01:37
as possible and these vulnerability
00:01:38
scans collect
00:01:39
a lot of information there's plenty of
00:01:42
details that we'll need to examine in
00:01:43
the log to determine
00:01:45
what we want to do with this information
00:01:47
once the scans are complete
00:01:49
the vulnerability scanners you use are
00:01:51
very powerful pieces of software that
00:01:53
are designed
00:01:54
to look at many different aspects of how
00:01:56
your systems are running
00:01:57
in the hopes that it will find some
00:01:58
vulnerabilities on that device
00:02:01
we call these non-intrusive scans but of
00:02:03
course there's a little bit
00:02:05
of intrusiveness as it's scanning the
00:02:07
different port numbers
00:02:08
and perhaps trying to find out if a
00:02:10
potential vulnerability might exist
00:02:12
but these aren't penetration tests these
00:02:14
vulnerability scanners will not
00:02:16
try to attempt to take advantage of the
00:02:18
vulnerability
00:02:19
instead they'll simply decide if a
00:02:21
vulnerability might exist or not
00:02:24
after the scan is complete you can run
00:02:25
your own test to see if that
00:02:27
vulnerability really does exist
00:02:29
you can run a penetration test on its
00:02:31
own or you can find
00:02:32
a specific exploit that might attack
00:02:35
that vulnerability and see if that
00:02:37
vulnerability does exist
00:02:39
there are different approaches to
00:02:40
performing these scans one approach
00:02:43
is to scan as if you are someone who
00:02:45
does not have access to the network
00:02:47
this would be a non-credentialed scan
00:02:49
this user doesn't have the credentials
00:02:51
to be able to log on to a device and
00:02:54
gain additional rights and permissions
00:02:56
you might want to think of this as
00:02:57
someone who is out on the internet who
00:02:59
doesn't have any access to your network
00:03:01
and this would be a scan that's run from
00:03:03
their perspective
00:03:04
but of course there is the perspective
00:03:06
of someone who is on the
00:03:07
inside of your network and trying to
00:03:09
exploit a system
00:03:11
so you might want to run these types of
00:03:13
vulnerability scans
00:03:14
as a user who has rights and permissions
00:03:16
to log in this is a credentialed scan
00:03:19
and it's a way to tell how much of a
00:03:21
vulnerability might exist
00:03:23
if you were someone who had a little bit
00:03:25
of access to these systems
00:03:28
let's look at the results of a
00:03:29
vulnerability scan that i ran on my
00:03:32
network
00:03:32
i ran this with the nessus essentials
00:03:35
product
00:03:36
that was able to look at an individual
00:03:38
ip address at 10.1.10.13
00:03:41
it's important to remind you at this
00:03:43
point that you should never run a scan
00:03:45
on your network
00:03:46
where you do not have specific
00:03:47
permission to do so
00:03:49
you should also make sure that if you're
00:03:51
running a scan on the network
00:03:52
that you understand exactly what that
00:03:54
scan is going to do
00:03:55
there is some conversations that takes
00:03:58
place between the scanner and that
00:04:00
remote device
00:04:01
and there have been cases where a
00:04:02
vulnerability scanner
00:04:04
has found a bug and a piece of software
00:04:06
that caused that particular system
00:04:08
or application to suddenly become
00:04:10
unavailable
00:04:11
so you could potentially crash a system
00:04:14
or make the system unavailable
00:04:16
simply by performing one of these
00:04:18
vulnerability scans
00:04:19
make sure that everybody knows what's
00:04:21
happening and that you're ready if
00:04:23
anything should happen to those systems
00:04:25
on this device 10.1.10.13 i ran
00:04:29
a vulnerability scan it only took two
00:04:31
minutes to scan this particular device
00:04:33
let's click on this host and see what
00:04:35
the results of this report might be
00:04:37
let's start with these two critical
00:04:39
vulnerabilities at the top the first is
00:04:41
a debian open ssh
00:04:42
open ssl package random number generator
00:04:46
weakness
00:04:47
this means that someone could gain a
00:04:49
shell remotely into that system
00:04:51
i can see why they would have qualified
00:04:53
this as a critical
00:04:54
vulnerability when we click on that we
00:04:57
can see more information about this
00:04:58
specific vulnerability
00:05:00
the remote ssh host key has been
00:05:02
generated on a debian or umbutu system
00:05:05
which contains a bug in the random
00:05:07
number generator of its open ssl library
00:05:10
this says that the attacker can easily
00:05:12
obtain the private part of the remote
00:05:14
key
00:05:15
that means that they'll be able to
00:05:16
decipher the remote sessions or set up
00:05:19
man-in-the-middle attacks
00:05:20
because this vulnerability exists on
00:05:22
this system it also gives you places to
00:05:24
go to read more about it
00:05:26
and things that you can do to resolve
00:05:28
this particular problem
00:05:29
let's go back in these vulnerabilities
00:05:31
and look at the other critical
00:05:32
vulnerability
00:05:33
which is a unix operating system
00:05:35
unsupported version detection
00:05:37
i ran the scan against a very old
00:05:39
version of linux and in fact the
00:05:41
vulnerability tells us
00:05:43
that this is a very old unix system
00:05:46
that is no longer supported there will
00:05:48
be no security patches for the product
00:05:51
so this will have additional
00:05:53
vulnerabilities as time goes on
00:05:54
the output from the vulnerability scan
00:05:57
is listed here and we can see
00:05:58
that it is ubuntu 8.04 that support
00:06:02
ended
00:06:02
many years ago and that was one where we
00:06:05
now can make decisions about
00:06:07
upgrading that system or putting a
00:06:08
system in place that would have security
00:06:11
patches
00:06:11
ongoing let's go back to the listing of
00:06:14
vulnerabilities and you can see there
00:06:16
are other vulnerabilities in here such
00:06:18
as mixed vulnerabilities medium low
00:06:20
and a lot of informational
00:06:22
vulnerabilities are listed here
00:06:24
you now have to make a decision over
00:06:26
which of these vulnerabilities are
00:06:28
important
00:06:29
which of them you should cover first
00:06:31
which should be second on the list
00:06:33
and there may be vulnerabilities in this
00:06:34
list that don't affect you or do not
00:06:37
have a concern in your environment
00:06:38
you're going to have to go through each
00:06:40
one of these and make those decisions
00:06:43
and that vulnerability scanner went out
00:06:45
to that device
00:06:46
and looked for every possible
00:06:48
vulnerability that it might have
00:06:50
or at least every possible vulnerability
00:06:52
that the vulnerability scanner
00:06:54
knows about there's a database within
00:06:56
the vulnerability scanner
00:06:57
that's to constantly be updated so that
00:07:00
it knows what to look for
00:07:02
and where to look for these types of
00:07:03
vulnerabilities you will certainly find
00:07:05
vulnerabilities associated with
00:07:07
particular applications like desktop
00:07:09
apps or mobile apps
00:07:10
in fact here's a desktop app
00:07:12
vulnerability cve 2020
00:07:14
1889 which has a security feature bypass
00:07:18
issue in whatsapp desktop and you'll
00:07:20
need to update the application
00:07:22
to be able to resolve that security
00:07:24
vulnerability there are also
00:07:25
vulnerabilities that you may find
00:07:27
associated with web-based
00:07:28
applications this is software that's
00:07:30
running on a web server
00:07:32
here's an example of one in a php file
00:07:35
for an organization ucms that has a
00:07:38
product
00:07:39
1.4.8 and this results in an information
00:07:42
leak
00:07:42
via an error message and provides
00:07:45
information that it should not be
00:07:46
providing
00:07:47
and of course there could be scans
00:07:49
against network devices on your network
00:07:51
where you get information about
00:07:52
misconfigured firewalls
00:07:54
devices that have ports that are open
00:07:56
that perhaps should not be open and
00:07:58
other vulnerabilities as well
00:07:59
this is a vulnerability cve 2020-25079
00:08:04
an issue was discovered on d-link
00:08:07
dcs-2530-l
00:08:09
before version 1.06.0
00:08:12
hotfix and etc this allows authenticated
00:08:16
command
00:08:16
injection so this would be a
00:08:18
vulnerability that is on the router
00:08:20
itself that would need to be resolved
00:08:22
with a firmware upgrade
00:08:24
if you're performing these vulnerability
00:08:26
scans you'll be doing a lot of research
00:08:28
prior to the scan
00:08:30
and a lot of research after the scan is
00:08:32
complete there are many resources online
00:08:34
that can give you the information you
00:08:36
need to be able to make decisions when
00:08:37
these vulnerabilities are found
00:08:39
one very common place to go is the
00:08:41
consolidated cve database
00:08:43
at the national vulnerability database
00:08:46
you can find that at
00:08:48
nvd.nist.gov this is
00:08:50
a summary of all of the cves that you
00:08:52
can also find
00:08:54
at the common vulnerabilities and
00:08:56
exposures database those are the cves
00:08:59
and you'll find that at cve.mitre.org
00:09:02
you might also want to go directly to
00:09:04
the manufacturers themselves and one
00:09:05
great place to get information about
00:09:07
microsoft windows is directly from
00:09:09
microsoft
00:09:10
you'll find those microsoft security
00:09:11
bulletins at www.microsoft.com
00:09:15
technet security slash current.aspx
00:09:20
there will be some vulnerabilities
00:09:22
identified by the scanner
00:09:23
that cannot be tied back to a specific
00:09:26
known cve
00:09:27
so you might also need to do some
00:09:29
additional research to really determine
00:09:31
the scope of this particular
00:09:32
vulnerability
00:09:34
i mentioned earlier one of the best
00:09:36
places you can go to get a summary
00:09:38
of these cves is the national
00:09:40
vulnerability database
00:09:41
at nvd.nist.gov this is a list that is
00:09:44
synchronized with the cve list from
00:09:46
mitre
00:09:47
and has some nice search capabilities on
00:09:49
it as well but another feature that is
00:09:52
inside the national vulnerability
00:09:53
database
00:09:54
is the common vulnerability scoring
00:09:56
system this provides
00:09:58
a number associated with the
00:09:59
vulnerability that can give you a
00:10:01
perspective
00:10:02
of just how severe this vulnerability
00:10:04
might be
00:10:05
each vulnerability gets a score between
00:10:07
0 and 10
00:10:08
and this allows you to at least have
00:10:10
some measure that you can use
00:10:12
to determine which vulnerabilities may
00:10:14
be more severe than others
00:10:16
there's currently two different scoring
00:10:18
methods that are used a scoring version
00:10:20
2.0
00:10:21
and another one that is currently
00:10:22
version 3.1 these use different criteria
00:10:25
to create the score
00:10:27
so you need to make sure that you pick
00:10:28
the version that you would like to
00:10:30
follow
00:10:30
and then compare that against all of the
00:10:32
vulnerabilities that you found
00:10:34
the national vulnerability database is a
00:10:36
critical summary of these
00:10:37
vulnerabilities and if you're putting
00:10:39
together
00:10:39
a record-keeping program or trying to
00:10:41
automate the processes that you have
00:10:43
around vulnerabilities
00:10:44
you will absolutely want to involve this
00:10:47
national vulnerability database
00:10:49
as you saw in the vulnerability scan
00:10:51
that i had created there were a number
00:10:53
of different vulnerabilities that were
00:10:55
identified
00:10:56
and from different categories as well
00:10:58
one of these categories is a lack of
00:11:00
security control
00:11:01
these devices should be running
00:11:03
anti-virus anti-malware in its own
00:11:05
personal firewall
00:11:07
to allow or restrict access to that
00:11:09
system so vulnerability scan might be
00:11:11
able to determine
00:11:13
that certain security procedures are not
00:11:15
in place on that device
00:11:17
there might also be misconfigurations on
00:11:19
the vulnerability scan i ran it found
00:11:21
that there was
00:11:22
an nfs misconfiguration that allowed
00:11:24
anybody to see the nfs shares that were
00:11:27
on that device
00:11:28
vulnerability scans might also inform
00:11:30
you that the guest login access is
00:11:32
enabled on that system
00:11:33
so that you can then go to that device
00:11:35
and disable that type of access
00:11:37
and of course there are operating system
00:11:40
and application vulnerabilities that are
00:11:42
found
00:11:42
every day so this vulnerability scam
00:11:45
will give us the heads up to let us know
00:11:47
if a particular piece of software needs
00:11:49
to be updated
00:11:50
one of these challenges with
00:11:52
vulnerability scans is you will
00:11:53
occasionally find a vulnerability that
00:11:56
is reported
00:11:56
you'll go and investigate that
00:11:58
vulnerability and what you'll find is
00:12:00
that
00:12:00
the vulnerability scan didn't get it
00:12:02
right that in fact that vulnerability
00:12:04
doesn't
00:12:05
exist on that particular device we call
00:12:07
these false positives because our
00:12:09
vulnerability scan has positively
00:12:11
identified this vulnerability
00:12:13
but after doing research we find that
00:12:16
positive indication
00:12:17
was actually false and the false
00:12:19
positive now
00:12:20
can be dismissed and we can continue
00:12:22
with our research
00:12:24
false positives of course are different
00:12:26
than a low severity
00:12:28
vulnerability sometimes people will
00:12:30
dismiss the low severity vulnerabilities
00:12:32
as being something
00:12:33
they don't have to worry about on this
00:12:35
particular system
00:12:36
that's different than a false positive
00:12:38
at least a low severity vulnerability is
00:12:41
a real vulnerability that exists albeit
00:12:44
at a very low priority level a false
00:12:47
positive is one that doesn't exist at
00:12:49
all
00:12:49
so we need to be sure to categorize
00:12:51
those properly we're trying to evaluate
00:12:54
how to take the next steps with this
00:12:55
system to make it more secure
00:12:57
perhaps worse than a false positive
00:13:00
would be a false negative
00:13:02
this is when a vulnerability exists on a
00:13:05
system but our scanner was not able to
00:13:08
identify it and did not tell us anything
00:13:10
about that vulnerability existing on
00:13:12
that particular device
00:13:14
to be able to resolve problems around
00:13:16
false positives and false negatives
00:13:18
you want to be sure that you have the
00:13:20
latest version of the signatures running
00:13:22
for that vulnerability scanner
00:13:24
this will allow it to filter out
00:13:26
anything that it knows
00:13:27
is not valid and find all of the
00:13:29
vulnerabilities on the system
00:13:31
that might have been missed if you were
00:13:33
using an older database
00:13:35
if you do run a scan and you get a false
00:13:37
positive or a false negative
00:13:39
you want to work with the vulnerability
00:13:41
scanner manufacturer
00:13:42
and see if they can create an updated
00:13:44
database that resolves these issues
00:13:48
of course there are a number of
00:13:49
vulnerabilities you can look for without
00:13:50
using some type of formal vulnerability
00:13:53
scanner
00:13:53
for instance you could do a
00:13:54
configuration review of an operating
00:13:57
system
00:13:57
to see if there may be any obvious
00:13:59
security issues for example
00:14:01
you may want to validate what the
00:14:03
security settings are in a device it's
00:14:05
easy to log into the device
00:14:07
and see what the firewall settings might
00:14:09
be set to or see if anti-virus has been
00:14:11
updated recently
00:14:12
you can look at workstations and see
00:14:14
what the account configurations are
00:14:16
and make sure that nobody's turned on
00:14:18
any particular security shares
00:14:20
that might put the entire device at risk
00:14:22
on servers themselves we are concerned
00:14:24
with the access control to those servers
00:14:27
and the permissions of users who are
00:14:29
connecting to that server
00:14:30
and we want to look at our security
00:14:32
devices themselves and make sure that we
00:14:34
haven't misconfigured a firewall rule to
00:14:36
allow
00:14:37
access when really we wanted to deny
00:14:42
access
00:14:50
you
