Vulnerability Management - Searching with CVE ID

Be careful with Qualys while searching for a particular CVE ID in your environment. Why I am saying so ? .. Let's assume few points to set the context.

Assume the following points: (Feeling like I am studying Mathematics .. "Assume length of rectangle to be x" .. Ha ha :) .. Anyways .. Let's continue)

1. Microsoft published a patch which remediated 'x', 'y' and 'z' vulnerabilities.
2. Your environment is affected with only 'x' vulnerability.
3. The servers are running Microsoft Windows XXXX.
4. Qualys published a QID to check for the patch
5. Qualys published a QID to check for 'x'

Now, with above assumptions in mind, when you check for the exposure status of your environment for 'x', what do you think will happen ?

Well .. You will get many false positives in your search result. Why ? ... Because, now the detection logic is flagging those servers as well which are not vulnerable to 'x'. Again a big WHY ? ... Because the detection logic is looking for the patch and also for the vulnerability itself. You can observe multiple QIDs for that CVE ID. So .. Once you have multiple QIDs, choose the one which is detecting 'x' only and search again.

Sometimes Qualys may take some time to publish the QID which only detects 'x'. So .. In case where QID to detect 'x' is not published, when you search for the CVE ID, you will get only one QID which detects if the patch is installed or not which does not tells you whether your environment is vulnerable to 'x' or not.

Normally, Vulnerability Management(VM) team receives inputs from Threat Intelligence(TI) team and you tend to search using CVE ID and not QID as you are not aware about the related QIDs. 

So just remember, detecting a vulnerability is different from detecting the patch to the vulnerability as the patch might contain fixes to several other vulnerabilities.

Happy Learning !!

Vulnerability Management - Remediation vs Mitigation

Do not use these terms interchangeably !! So .. Let's understand them and see the differences.

Remediating a vulnerability means fixing or eliminating it, dealing with the root cause of the vulnerability. Mitigating a vulnerability, on the other hand, means finding a temporary solution or workaround to decrease the possibility of a vulnerability being exploited.

However, sometimes remediation isn’t possible for several reasons such as the following:

1. A fix, patch or an updated version of the software is not available immediately, since it takes time for the vendors to prepare and distribute them.

2. Not all vulnerabilities need to be fixed. This is usually the case when a vulnerability does not pose a threat since it is not directly accessible or exploitable by a threat actor. For instance, the vulnerable software could be disabled on the Internet connected devices while running only on the not connected devices.

3. Due to managerial issues, you could be hindered from applying a remediation action. This usually happens when a company has strict QoS requirements on customer facing systems and cannot tolerate any downtime required to patch a vulnerability or update a software.

4. Due to some restrictions, such as compatibility issues with other software being used in a system, a fix or patch cannot be applied at all.

Actions to mitigate a vulnerability could be one or some of the following:

1. Blocking a port on a firewall (on a network or host) that could expose a vulnerability to malicious actors.

2. Limiting the use of the vulnerable software to a separated network or a selected list of users.

3. Disabling the vulnerable software temporarily.

Please refer the below URL for more information:

https://cybersophia.net/articles/what-is/vulnerability-mitigation-vs-remediation/#:~:text=To%20sum%20up%2C%20remediation%20is,it%20cannot%20be%20eliminated%20immediately.

Happy Learning !!

Vulnerability Management - Parameters to consider while selecting Vulnerability Management Solution

Following are the parameters one can consider while selecting a scanning vendor:

1. Platform Support 
2. Deployment Options
3. Scanning Method
4. Integration
5. Vulnerability Updates
6. Ticketing/Workflow Integration
7. Detailed Remediation Guidelines
8. Pricing
9. Threat Intelligence Feeds
10. Risk Prioritization
11. Scalability
12. Scheduling Options
13. Technical Support
14. Delivery Model
15. Reporting Options
16. Ease of use
17. False Positive Ration

Please watch the below session by Chintan Gurjar for more details:
https://www.youtube.com/watch?v=UcVflfpZdxI&t=2855s

Happy Learning !!

Vulnerability Management - Compensating controls for unpatched servers

Often due to application dependencies, EOL systems and budget constraints, it is not possible to patch servers. So .. What actions can we take in such situations ? Lookout for answers to the following questions:

1. Is the vulnerability providing information disclosure ? 

Your DLP or WAF solution may already be capable of detecting and mitigating against such an exploit.

2. Does the vulnerability call an application to perform an unwanted action ? 

It is possible that your Host Based Intrusion Detection System can prevent those binaries from executing. 

3. Does the vulnerability require access to a resource or service ? 

An ACL that blocks or restricts access might be the perfect solution.

In case of EOL systems, the following compensating controls can be put in place:

1. Network isolation/segmentation

One option to protect EOL devices is to place critical servers on an isolated network to ensure the devices cannot interact with any machines outside of the isolated network or connect to the Internet. With network isolation, EOL devices are protected from threats, but drastically limit access to other critical assets

including internet and cloud functions. While this security model can be used as a compensating control to mitigate threats, this option may pose business disruption and impact end-user productivity since most server host critical applications that need to be connected to corporate servers for employee access.

2. Virtualization

Hosting assets within a virtualized environment can provide a number of security benefits; increased control over critical assets, ease of re-imaging in the event of a compromise, and the ability to limit critical server exposure to an environment. If an asset becomes a target, it can be quickly isolated and re-initialized. But for critical servers running applications that require round-the-clock access, virtualization represents a possibility of increased administration and resources. It can also lead to failed compliance policies by virtue that in-scope data must be controlled or cannot run within a virtual environment.

3. Application control and whitelisting

It is a security model focused on allowing known “good” applications to run rather than blocking known “bad.” By only allowing trusted software to run, application whitelisting will stop exploits and reduce the administration associated with system and application patching and updates. In “default-deny” mode, application whitelisting is a highly effective compensating control to meet regulatory compliance standards and harden out-of-date systems.

Happy Learning !!

Vulnerability Management - What is a Superseded Patch ?

Ever encountered a situation where your platform team applied a latest patch, still your scanner flagged older patches on that system !! Hang on !! Don't panic. Most probably it is due to a setting "Show missing patches that have been superseded".

A superseded patch is a patch that does not need to be installed because a later patch is available that will correct the same vulnerability.

A typical example is a service pack, which bundles many other patches that have been released before the service pack. If the service pack is installed on a host, earlier patches usually do not need to be installed.

You can choose to enable or disable it in scan policy or report template. When enabled, reports will show previous patches along with the patch which supersedes them. This will help you analyze patch history. You can ask questions to your platform teams like why the server is not receiving regular patches ? Is the server properly onboarded in patching tool ? Is there any connectivity issue between the server and the patching tool ? When disabled, it will directly show you the latest patch which supersedes previous month's patch(s). 

So .. How to determine whether a patch supersedes another one(s) ? Please refer the link https://www.catalog.update.microsoft.com/Home.aspx for Windows OSes.

Also, please refer the below link for more information:

https://tenable.force.com/s/article/Show-missing-patches-that-have-been-superseded-Enabled-vs-Disabled

Happy Learning !!

Vulnerability Management - Is CVE a Vulnerability Database ?

Common Vulnerabilities and Exposures, often known simply as CVE, is a list of publicly disclosed computer system security flaws. CVE is a public resource that is free for download and use. This list helps IT teams prioritize their security efforts, share information, and proactively address areas of exposure or vulnerability.

So .. Is it a Vulnerability Database ?

No, CVE is not a vulnerability database; rather, it’s developed to connect different vulnerability databases and security tools. And because it’s not a vulnerability database, it doesn’t contain information on the risks, the fixes or technical data on the entry.

So .. Which DBs should we consider as a Vulnerability Database ?

1. National Vulnerability Database (NVD)

https://nvd.nist.gov/

2. Vulnerability Assessment Platform (Vulners)

https://vulners.com/

3. Vulnerability Database (VulDB)

https://vuldb.com/

4. CVE Details

http://cvedetails.com/

There are other DBs as well but for time being .. I think these are enough (Ha Ha .. just kidding). Please refer the below link to find more information.

https://securitytrails.com/blog/what-is-cve#top-4-cve-databases

Happy Learning

#vulnerabilitymanagement

CyberSecurity - Few differences which kept me bothering !!

1. Difference between Risk, Threat and Vulnerability

Risk is the potential for loss, damage or destruction of assets or data caused by a cyber threat. Threat is a process that magnifies the likelihood of a negative event, such as the exploit of a vulnerability. And a vulnerability is a weakness in your infrastructure, networks or applications that potentially exposes you to threats.  

https://www.kennasecurity.com/blog/risk-vs-threat-vs-vulnerability/

2. Difference between Vulnerability and Exposure (as the acronym "CVE" contains both)

According to the CVE website, a vulnerability is a mistake in software code that provides an attacker with direct access to a system or network. For example, the vulnerability may allow an attacker to pose as a superuser or system administrator who has full access privileges. An exposure, on the other hand, is defined as a mistake in software code or configuration that provides an attacker with indirect access to a system or network. For example, an exposure may allow an attacker to secretly gather customer information that could be sold.

https://www.techtarget.com/searchsecurity/definition/Common-Vulnerabilities-and-Exposures-CVE

3. Difference between Event, Alert and Incident

A security event refers to the security-impacting activity that occurred. Alerts are the notifications — often found in logs or derived from analysis and a correlation of logs —  a system sends to inform IT and IS teams of the event. Incidents are high-impact security events that have a significant negative impact on a business as a whole and require significant effort to identify, mitigate and remediate. An event may be irregular and/or minor but does not seriously impact a business, or an event could be highly disruptive and possibly cause a loss of revenue, making it an incident.

https://www.deepwatch.com/education-center/what-is-the-difference-between-a-security-incident-an-event-and-an-alert/

4. Difference between Exploit and Payload

Payload refers to the part of malware which performs a malicious action. An exploit (meaning "using something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unexpected behavior to occur on computer software, hardware, or something electronic. Such behavior includes things like gaining control of a computer system or a denial-of-service attack.

https://www.ques10.com/p/67205/difference-between-payload-and-exploits-in-syste-1/?#:~:text=Exploits%20give%20you%20the%20ability,like%20denial%20of%20service%20exploits.

Please refer the links above for more information.

Happy Learning !!

Vulnerability Management - How scans work in the background

Phases of a vulnerability scan:

1. Host Discovery

Identify network-accessible systems by pinging or sending them TCP/UDP packets (Scanners will try to probe well known ports to check for responses)

2. Port Discovery

Identify open ports on live systems identified in step 1 (NOT all the 65535 ports are probed!! A Standard Scan includes 1900 TCP and 180 UDP ports by default for Qualys. Typically, the majority of services and listening applications are going to be running on these ports.)

3. Service Discovery

Identify services running on identified open ports in step 2

4. VM/PC Assessment

Gather detailed system information and correlate with known vulnerabilities

Please refer the below links for more information:

https://community.tenable.com/s/article/Phases-of-a-vulnerability-scan

https://qualys.secure.force.com/articles/How_To/000002028

https://www.rapid7.com/fundamentals/vulnerability-management-and-scanning/

Happy Learning !!

CyberSecurity - Why do we need NMAP scripts when we have NMAP switches ?

Let's talk about a tool which is familiar to every CyberSecurity enthusiast ... Yesssss NMAP

One of the ways that NMAP has expanded its functionality is the inclusion of scripts to conduct specialized scans. You simply have to invoke the script and provide any necessary arguments in order to make use of the scripts. The NMAP Scripting Engine (NSE) extends NMAP’s capabilities to enable it to perform a variety of tasks and report the results along with NMAP’s normal output. Some examples of NSE scripts include:

1. Enhanced Network Discovery Perform 'whois' lookups, perform additional protocol queries, and act as a client for the listening service to collect information such as available network shares.

2. Enhanced Version Detection Perform complex version probes and attempt service brute-force cracking.

3. Vulnerability Detection Execute probes to check for specific vulnerabilities.

4. Malware Detection Execute probes to discover Trojan and worm backdoors.

5. Vulnerability Exploitation Execute scripts to exploit a detected vulnerability.

Note:

By default, version scanning (-sV) also executes all NSE scripts in the version category. The -A command-line option executes the -sC command-line option (safe and intrusive categories).

Happy Learning !!

Vulnerability Management - Kenna and RiskIQ

As no. of assets in organizations are growing, vulnerability management solutions have also started gathering overwhelming amount of data(vulnerabilities). And as a result security analysts are coming under pressure to prioritize remediation efforts. Hence tools like Kenna and RiskIQ have started to gain importance.

Kenna uses the following scores to calculate the final asset score: 

Component 1: Vulnerability Scoring

Within Kenna, vulnerabilities from various scanning vendors are brought in during connector runs and normalized based on the CVE ID, CWE ID or the WASC identifier. 

For network vulnerabilities, Kenna will look at the CVSS base score for the CVE. It then look at the 20+ threat and exploit feeds. It has to understand the volume and velocity of attacks against that CVE, if there is malware available, if it is easy to exploit, whether it is actively being exploited in the wild, etc. All of these details help derive the Kenna Vulnerability Score.

Vulnerabilities get a score from 0-100 and are broken out into thirds: Green 0-33, Amber 34-66, Red 67-100

Component 2: Asset Scoring

An asset is as at risk as its highest vulnerability. Hence, it is highest scored vulnerability present on the asset.

Assets get a score from 0-1000 and are broken out into thirds rounded to the nearest 10:Green 0-330, Amber 340-660, Red 670-1000

Component 3: Risk Meter Score

This score is calculated by taking the average of all of the active, non-zero scored assets within the group

Risk Meters can get a score between 0-1000 and are broken out into thirds rounded to the nearest 10: Green 0-330, Amber 340-660, Red 670-1000

Final Asset Score = Highest Vuln Score * Asset Priority (If External IP then raise the score by 200 points)

Please find the below link for more information on scoring methodology:

https://help.kennasecurity.com/hc/en-us/articles/4402070116116-Understanding-Vulnerability-Asset-and-Risk-Meter-Scoring

Please find the below link for more information on asset prioritization methodology:

https://help.kennasecurity.com/hc/en-us/articles/360000862303-Asset-Prioritization-In-Kenna

Happy Learning !!

Vulnerability Management - Network-based vs Agent-based Internal Vulnerability Scanning

Network-based scanning - It is the more traditional approach, running internal network scans on a box known as a scanning ‘appliance’ that sits on your infrastructure (or more recently, on a Virtual Machine in your internal cloud).

Agent-based scanning - It is considered the more modern approach, running ‘agents’ on your devices that report back to a central server.

Following are the parameters on the basis of which one can decide whether to go for Network based or Agent based architecture:

1. Coverage

2. Attribution

3. Discovery

4. Deployment

5. Maintenance

6. Concurrency and scalability

I won't draw any conclusions here as in which type of model is better. It all depends on your analysis based on application of above mentioned parameters to your environment, manpower and budget.   

Happy Learning !!

Vulnerability Management - No. of times detected

If you carefully observe vulnerability reports, you will find one column as detections or no. of times detected. Do not ignore this column.

Now, suppose you run scans on weekly basis. So, in a year, you should run 52 scans. Now, suppose a low priority vulnerability which was out in public in 2022 April. So, from April to October, no. of times the vulnerability is detected should be at least 20(4*5) (excluding April and October month). 

What if the detections are 4/5 times or somewhere near it. Following conclusions can be drawn by the observation:

1. The server on which the vulnerability was detected was offline during the scan

2. There may be intermittent networking issues (Firewall rules or routing issues)

3. One should also check for authentication issues if any

Impact: Due to the above issues, suddenly you can observe age of the vulnerability as 4 or 5 months (because as the vulnerability was detected 4/5 months ago, hence the first detected date would of 4/5 months ago). Now, corresponding platform team would start complaining that the vulnerability didn't appear in subsequent reports and they need time to remediate it as they were not aware of its presence.

Hence, always analyze vulnerability reports carefully so that you can detect such issues in time and take appropriate action on them.  

Happy Learning !!

Vulnerability Management - Stale 'Last Detected' dates

You might have observed stale 'Last Detected' dates in vulnerability report.

Following are the reasons:

1. Authentication not happening properly (Credentials expired or have insufficient privileges)

2. Closed ports

3. Changes made to scan settings (option profile in Qualys)

4. Changes in firewall rules

Because of above reasons, the vulnerability which was discovered earlier, now there is no way to figure out if it exists or not. VM scanning vendors normally choose a false postive rather than a false negative in such a case and decide to keep 'Last Detected' date as when it was actually last detected.

In Qualys, to work around a finding like this, you can adjust the scan option profile being used (or create a new one) with the "Authoritative Option" selected. This make the resulting scan override previous finding and mark them as closed. I would highly caution the usage of this option until clarification on the original finding is clear.

Happy Learning !!

CyberSecurity - CipherSuites

Need to check if a cipher suite is weak, strong or deprecated, then refer (https://ciphersuite.info/). The website fetches data from IANA(https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml).

The IANA (Internet Assigned Numbers Authority) is responsible for maintaining the official registry of TLS cipher suites. If a cipher suite is approved by experts at the IETF (Internet Engineering Task Force) then the IANA add it to the registry where it’s assigned a unique two byte hexadecimal value and a human readable name (recorded in the Description field).

Few other naming conventions are, OpenSSL and GnuTLS.

This is how the cipher suite represented by hex value 0x00,0x3D is named according to these three conventions:

IANA: TLS_RSA_WITH_AES_256_CBC_SHA256

OpenSSL: AES256-SHA256

GnuTLS: TLS_RSA_AES_256_CBC_SHA256

Understanding of CipherSuites as strong or weak among vulnerability management vendors may vary a bit, similarly the way, results from different AV engines on VirusTotal varies a bit for a particular hash or URL.

Happy Learning !!

CyberSecurity - RegEx

We all know what RegEx is but do you know it is of immense importance in Cybersecurity domain as well. They are used in multiple subdomains in Cybersecurity, such as the following:

1. To fine tune controls in policy compliance

2. SOC analysts need RegEx for log and malware analysis/detection (YARA Rules)

3. IDS/IPS, firewall and proxy systems use RegEx to specify rules 

Do you know where else RegEx is used in CyberSecurity ? btw, which is your favourite website from where you learned RegEx :)

Happy Learning !!

Vulnerability Management - Qualys QIDs with no CVE IDs

Not all QIDs in Qualys have CVEs (eg. https://cve.report/qid/38863). There are many that do not and the responsible action is to cover all reasonable vulnerabilities by creating QIDs.

Few examples include:

1. SSL/TLS Server supports TLSv1.0

2. HTTP security headers not detected

It becomes difficult to remediate these vulnerabilities as Product Vendors asks for CVE ID's and can not provide any support to fix the vulnerabilities. In such cases, one should refer info. present online that support the general requirement to remediate, as well as a good section in the knowledgebase explaining why these issues need attention.

Happy Learning !!

Vulnerability Management - Network Authentication Failure Causes

1. Invalid credentials

2. Expired credentials

3. Service accounts using unsupported protocols

• For eg: While creating an authentication record, NTLMv1 was disabled in the authentication record but the Windows system against which the authentication was performed, supports only NTLMv1

4. Authenticating against custom OSes

• Mostly, only standard OSes are supported by scanning vendors

 5. Scanner not able to identify OS

6. In case of Qualys, one has to add IPs in authentication records otherwise scanner will not attempt authentication against these IPs (Not always the case though)

7. Windows authenticating uses (NULL) despite having correct authentication record 

• If authentication process lengthens, it ultimately times-out causing the authentication on target to fall back to (NULL) authentication 

8. Bug in protocols used for authentication (OpenSSH version 7.2/3 had a bug that caused servers to incorrectly report signature algorithms)

9. Firewall blocking ports such as 139, 445, 22, 23 etc. (Corelated with point no. 5)

Let us know in comments about any other authentication related issues which you have faced in your org(s).

Happy Learning !!

Firewall Review

Following are the points you can consider while performing a manual firewall (Configuration and Rulebase) review:

1. Firmware & Patches

• OS Security patches are updated
• Device placed in secure place with Access Control

2. SNMP version (should be v3) & Community String (should be strong)

3. Identity & Authentication

• Default user names and passwords are changed
• Firewall is authenticated with RADIUS or TACACS
• External access through secure VPN
• Verify VPN encryption uses strong algorithms (AES etc.)

4. Check for session timeout (Console, Inactivity timeout)

5. High Availability & BCP DR Testing

• High Availability with a secondary firewall
• BCP DR testing is performed at regular intervals

6. Config. backup, Logs, Alerts & NTP Server

• Firewall config file and rule base is backed up
• Logs are collected and alerts are configured
• NTP server is configured (Good to have a set of private NTP servers in sync with a public NTP server)

7. Insecure access rule - "ANY" rule

• Check for "deny-all" setting if it is configured at the end of every rule set

8. Access to vulnerable ports

• Access from DMZ to internal network and vice-versa
• Direct access from internet to internal network

9. Access to large subnets

10. Redundant, Shadow, Unused & Inactive rules

11. Remove unused objects

12. Critical port access rules

• Mostly access will be provided using PIM and PAM solutions, so check for the need of such rules (port 22, 1433, 3389 etc.)

13. Change Management

• Make any changes to firewall or it's rule base via proper change management

Happy Learning !!

Vulnerability Management - Why do False Positives occur ?

False Negatives are when the host is vulnerable but a scanner does not report any vulnerability. False Positives are when the host is not vulnerable, yet the scanner reports vulnerabilities on it.

Following are the common reasons for FP/FN occurrence:

1. Due to lack of Authentication and Authorization

2. Scan policy being non-intrusive

Active tests are avoided because exploitation of a vulnerability may cause the service or the server to crash or the vulnerability might not be remotely exploitable. Since scanning policies are based on a non-intrusive approach, the tests which may affect the integrity of a system are avoided. 

3. No scan after applied fix

4. Fix requires reboot

5. Fix/Patch applied using non-standard methods

It is possible that method by which the patch or fix was applied was not using a standard method from the original software vendor. Some third-party patch solutions may install the patch in a non-standard fashion. Since the detections are strictly based on the Software Vendor's advisories, scanning solutions  only checks for their standard recommended methods.

6. Issues in vulnerability detection logic (Very rare though) 

The ones which were obvious I didn't explain them. Share in comments if you ever encountered a false positive or know any other reasons apart from the ones mentioned above.

Happy Learning !!

Vulnerability Management - FIRST, NIST and MITRE

We all have heard about these organizations but do you know how these are related to each other. Let's explore a bit further. MITRE and NIST are sponsored by DHS CISA.

Sr. No.	Organization	Product
1	FIRST	CVSS Scoring System
2	NIST	NVD Database (2005)
3	MITRE	CVE List (1999)

So, NIST created NVD which takes CVE Lists from MITRE (which maintains CVE Lists) and provides base scores to those CVEs using CVSS scoring system made by FIRST. NVD also provides advanced search features such as by OS; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact.

Let us know which version of CVSS scoring system do you refer in your organization ?

Happy Learning !!

Vulnerability Management - Importance

We all know importance of an effective and working VM program but do you know there are some compliance standards which make VM program mandatory. Yes .. You heard it right !! If a company wants to get certified in these standards then it has to demonstrate a working VM program to auditors.

The two commonly known standards are:

1. ISO 27001 ISMS (Control A.12.6.1)

2. PCI DSS (Requirement 11.2)

Let us know in comments about other standards which make having a VM program mandatory.

Happy Learning !!

Vulnerability Management - No DNS name

Whenever you enter a subnet or IP range as your scan target, ensure that the DNS server(s) which is configured in your scanner have "PTR" records. Otherwise, scanner will not be able to resolve IP addresses and associated DNS names will be blank. Same is the case when you enter DNS names as your scan targets, ensure that the DNS server(s) which is configured in your scanner have "A" records. Otherwise, scanner will not be able to resolve DNS addresses and your scan will come with empty results (maybe few info. findings).

Why the first scenario mentioned above was important ? Whenever you will discuss/share scan reports with/to platform teams, they will not be having any clue (just by looking at IP addresses) regarding devices present in those scan reports. Because, in most of the cases, DNS names are formed in a very informative and elegant manner (standard nomenclature), so that just by looking at them, you will get to know what that device is and belongs to what region.

So, coordinate with Windows and Enterprise Tech. teams and ask them to properly update DNS records especially "PTR" records.

There is one more naming system which has become legacy now, but still provides a bit of help in such scenarios. Can you tell which one ? 

Happy Learning !!

Vulnerability Management - Authentication not attempted

Your vulnerability scan did not find as many vulnerabilities as you were expecting in a normal authenticated scan? Even when credentials provided were correct. And then you are checking scan results and did not find any results for failed authentication as well. And then you start to scratch your head? Just kidding !!

So .. What to do now? Check whether the scanner was able to enumerate OS or not .. Why so? Because, if a scanner is not able to enumerate OS then it will not know what kind of device it is dealing with and hence will not attempt authentication itself (NO authentication attempted means NO failure logs). Check whether ports such as 445 or 22 were blocked (445 --> Windows and 22 --> Linux). So if you don't find any failure logs then it does NOT mean that authentication was successful. In this case you will not get any results for successful authentication either.

So .. If you want to get an idea about an environment, check "Critical" and "High" vulnerabilities. If you want to get an idea about the scan itself, check "Informational" findings. Don't underestimate the power of a [common man !!] .. oops .. I meant "Informational" findings.

This is one common scenario among other possible scenarios.

Happy Learning !!

Vulnerability Management - Discovery Scan

Discovery scans are run to identify number of live IPs/assets in a network. So .. Why we need to know the count? Imagine you have a subscription of 2000 IPs. Now, when you try to scan a /16 or /20 subnet, you should better know the scope you are going to encounter. Otherwise if you blindly run a full vulnerability scan without any verification then the scan might fail if there are more than 2000 assets in the network.

Discovery scans are fast and free of cost. Another benefit is, you get to know what kind of OSes you are going to encounter which will further help you in creating "Asset Groups" and "Authentication Records".

Discovery scans can be authenticated or unauthenticated. There is a debate around authenticated discovery scans as in if it should be run or not. Can anyone tell why?  

Happy Learning !!

Vulnerability Management - Scan vs Host based findings

Scan based findings are related to a particular scan. It cannot tell you whether a vulnerability which existed earlier was fixed or not. It will just tell you the current data i.e. how many vulnerabilities are present right now. So boring right ?? .. Just kidding !!

Host based findings have the ability to tell you whether a vulnerability which existed earlier was fixed or not. Reason: It corelates with past scan data and hence the ability. It can also gives you vulnerability trends related information. Sounds cool right !! .. Now let's see what problems this correlation with past data can create.

Imagine if you run an authenticated scan. But after some time(days or months) when you try to rerun the same scan, the source of the raw scan fails to authenticate. Since the scanner is unable to authenticate, it considers the authenticated findings(data gathered from previous scan) to be active until it is able to prove that they are closed. Imagine the consequence now, when the device was originally a Windows server, but then that IP became a printer. The printer would have Adobe Flash/MS Office/etc. vulnerabilities until you purged the asset. You see, everything comes at a price. This is just one example, there are many scenarios where this could cause troubles.

Hence, Qualys introduced the option "auto purge when OS changes". Prior to this option you had to purge the scan data related to that asset manually. Please keep in mind that Scan and Host based findings are not the options presented when you configure a scan, instead these are reporting options.

Happy Learning !!

Vulnerability Management - How to Prioritize Vulnerabilities

There are lot of ways but following are the common ones:

1. Zones
Every company organizes its infrastructure in zones like "External Facing", "PCI Zone", "Internal Zone" etc. One can prioritize remediation efforts based on criticality of zones. In most cases, timelines are decided for zones, then vulnerabilities are prioritized according to these timelines.

2. Severity
As we all know, common severity values are "Critical", "High", "Medium", and "Low". One can always focus on "Critical" and "High" ones.

3. Exploit Availability
Vulnerability scanning solutions like Qualys and Nessus, in most of the cases let us know whether exploits for a particular vulnerability are available or not. If this information is not present, then threat intel tools can be referred.

4. Patch Availability
Vulnerabilities with available patches should be prioritized. Amongst these such patches where reboot is not required, should be given priority.

5. Compensating Controls
If one is aware about his/her organization's infrastructure, then wherever compensating controls like WAF, Standard firewalls etc. are in place, can be given less priority.

6. Threat Intel
If threat intel team notifies you of vulnerabilities getting exploited presently, then you can perform analysis using above points and if required can spin up an OOB(Out Of Band) patching process.

Please note:
Not every vulnerability is meant to be remediated and it is not practically feasible as well. If a vulnerability exists that does not mean that it will get exploited. That's where role of a Vulnerability Analyst comes handy (to decide which vulnerabilities should be prioritized based on above mentioned points).

Happy Learning !!

My thoughts on Vulnerability Management

Vulnerability Management means a lot of reading. You always need to keep yourself updated with current vulnerabilities and attack vectors. You have to always remain open minded i.e. never say "NO" to any domain or technology. Reason, you will have to deal with myriad of vulnerabilities. These vulnerabilities may happen to be in Network devices, Storage devices, Virtual devices, Windows devices, Linux devices, thick and thin clients.

Usually, you will deal with the following teams:

1. Windows Team - Hence good to have basic understanding of Windows architecture, AD, GPO and related configurations
2. Linux Team - Hence good to have basic understanding of Linux architecture and related configurations
3. Network Team - Hence good to have basic understanding of router, switch, firewall, proxy and load balancer
4. Storage Team - Hence good to have basic understanding of storage methodologies such as SAN and NAS
5. Virtualization Team - Hence good to have basic understanding of hypervisors such as host OS and bare metal
6. Application Team - Typically you will deal with Web applications but thick clients are equally important

Have basic understanding of security solutions such as WAF, firewalls, DLP, SIEM, Access management and Endpoint security. You should also have basic understanding of compliance standards and different types penetration techniques such as web, mobile and network. As, many companies have started to leverage cloud solutions, cloud security also has gained immense importance.

Lastly, VM solutions gather a lot of data. Hence, you need to be good with data analytics and hence, with Microsoft Excel especially with formulas and VBA. Scripting languages such as Python, VB, Batch and Shell scripts will help in automating standard processes and tasks. 

Please note, there are few words which I have intentionally repeated like "basic" and "understanding". You are not Swami Vivekananda. You cannot become SME of above mentioned topics in a year or few years.

So keep learning and never give up !!

Happy Learning !!