Vulnerability Management - Determining Scan Frequency

1. Scan on quarterly basis

Suitable when ->
a. The enterprise is small
b. Resources are constrained for scanning and/or analysis
c. Vulnerability scanning is done by an external firm (i.e. an MSSP)

Drawback -> Difficult to increase frequency while focused on the entire enterprise

2. Scan on weekly/monthly basis
Suitable when ->
a. The enterprise is large and identifiable units
b. Scanning timetables can be coordinated with remediation actions by business unit IT staff
c. Analysis and prioritization of vulnerabilities can occur quickly

Drawback -> Requires coordination with IT to ensure coordinated remediation

3. Continuous Scanning -> Always some part of the enterprise is being scanned
Suitable when ->
a. The VM team has the skills and resources to maintain continuous scanning
b. Assets in the enterprise change quickly

Drawback -> Analysis of vulnerabilities need to happen at scale and very quickly

Starting point for a typical scanning strategy:

1. Discovery Scan -> Scan all IP address ranges on daily basis, but leave out all the hosts known from previous scans.
2. Full Vulnerability Scan -> Scan live systems found in discovery scan on weekly basis (This means only doing time-consuming port-scanning for up-and-running hosts, since this scan is done against known targets, not entire IP address ranges. This massively reduces the time required for the scan while delivering complete and precise results.)

Please refer the below URL for more details:
https://www.tenable.com/blog/5-tips-on-how-to-conduct-a-vulnerability-assessment

Happy Learning
hashtag#vulnerabilitymanagement hashtag#cybersecurity

Vulnerability Management - VBA Use Cases

We all have to do a lot manual work to present or analyse vulnerability data in VM domain. VBA helps a lot in automating such tasks.

Following are the few use cases I worked on:

1. Convert multiple CSV files into XLSX files.
2. Combine data from multiple XLSX files into one XLSX file.
3. Apply various formulas or create pivots on multiple XLSX files.
4. Correlate current dataset with past dataset (New vs Remediated vulnerabilities).
5. Check whether a list of IP addresses belongs to a list of subnets.
6. Populate data in PowerPoint charts/tables from Excel (Useful when you have to update 40-50 charts/tables).
7. Split one single XLSX into multiple XLSX files based on criteria like Prod/Non-Prod (Environment), Windows/Linux (Platform), Tower owners.
8. Create dashboards based on various criteria such as ageing, severity etc.
9. Fetch vulnerability data from a website.
10. One can create Word/PowerPoint/Outlook objects and interact with these applications.
11. Ping a list of computers and check whether they are up or down.
12. Invoke command prompt, run commands and save output in notepad file.

Please remember, these tasks might look simple and they are indeed simple, only problem is the repetitive nature of such tasks like applying same formula on 100 worksheets.

Please refer to the link below for further details:
https://www.nobledesktop.com/learn/vba/what-is-vba

Happy Learning
hashtag#vulnerabilitymanagement

Vulnerability Management - Applied Microsoft patches not getting detected

Recently tools like MECM, which are used for patch management in environments where Windows OS is used, are showing status as compliant when patches are pushed via them. But when scanned using a vulnerability management solution, the same systems are showing missing patches.

Now that the context is set, I would like to discuss the cause.

It is because of UBR (Update Build Revision) number. VM solutions are looking for UBR number to check if the latest patch is applied or not. UBR can be read from registry at key "HKLM:\SOFTWARE\Microsoft\Windows". Microsoft always changes the UBR value and updates it when there is a new patch. So ensure, whenever patches are pushed using patching solutions, UBR numbers are updated accordingly.

Following are some troubleshooting steps I found using simple Google search 😬:

1. Check for updates: Make sure that systems are configured to check for updates automatically and that they are connected to the internet. You can check for updates manually by going to Settings > Update & Security > Windows Update and clicking “Check for updates”.
2. Restart the Windows Update service: If the Windows Update service is not functioning properly, you can try restarting the service. To do this, open the Services console (services.msc) and locate the Windows Update service. Right-click on the service and select “Restart”.
3. Reset the Windows Update components: If restarting the service does not resolve the issue, you can try resetting the Windows Update components. Microsoft provides a script that can automate this process.
4. Manually install updates: If the UBR value is still not updating properly, you can try manually installing the updates on the affected server. You can download the updates from the Microsoft Update Catalog and install them manually.
5. Check for errors in the event logs: Check the Event Viewer logs for any errors or warnings related to the Windows Update service or the installation of updates. These logs may provide additional clues about the cause of the issue.
6. If using MECM, you can try reinstalling the MECM clients on affected servers.

Please refer the below URLs for more details:
https://www.vcloudinfo.com/2020/12/how-to-decode-windows-version-numbers.html

https://community.spiceworks.com/t/windows-ubr-value-not-updating-after-windows-update/948275

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0094555

Happy Learning
hashtag#vulnerabilitymanagement hashtag#cybersecurity