Vulnerability Assessment (VA), not to be confused with the Vulnerability Management process, is the activity of discovering and identifying vulnerabilities in system components. In this article, we explore the definition of VA, its role in penetration testing, and the vulnerability management framework.
From a literal standpoint, a vulnerability is referred to as any system bug, error, or misconfiguration that allows for an exploit impacting confidentiality (e.g. sensitive data leakage), integrity (e.g. unauthorized activity), and availability (e.g. denial of service). Vulnerability Assessment (VA) is the activity of discovering and identifying vulnerabilities in the system components.
Why Do We Need Vulnerability Assessment?
For Penetration Testers (pentesters), VA is an essential step early in the pentest process. VAs help to surface high-level vulnerabilities for pentesters. In the Cyber Kill Chain model developed by Lockheed Martin, VA falls under the Reconnaissance step, where pentesters gather critical information on the target system before moving to the next step — verifying the vulnerability by exploiting it.
Pentesting frameworks mirror how attackers act in the Cyber Kill Chain, and the reverse of trying to exploit a system without first identifying vulnerabilities will be a huge waste of time.
From the business’ and system owner’s perspectives, conducting regular VAs should be a critical component of an organization’s security capabilities. After all, Vulnerability Management is a continuous process that spans identifying, evaluating, classifying, and reporting security vulnerabilities across all organization systems.
Vulnerability Assessment vs Penetration Tests
VAs are an integral part of the penetration test process. A VA is expected to identify a variety of potentially exploitable vulnerabilities, while penetration testing is expected to verify the potential vulnerability found in the VA by actually exploiting it. Because VAs tend to be automated, there is a limit on the type of vulnerabilities that can be discovered. For an accurate VA, system administrators have to accurately detail the requirements of the pentest.
Both VA and Penetration Test are combined in the detailed project report to list the vulnerabilities discovered and provide actionable remediations. This is why we commonly see both the activities bundled together under the umbrella term Vulnerability Assessment and Penetration Testing (VAPT).
Types Of Vulnerability Assessment
VAs may fall under any of the below categories:
- Network-based: To identify possible network security vulnerabilities, including wired or wireless networks.
- Host-based: To identify vulnerabilities in servers, workstations, or other network hosts, and examine ports and services that may be covered in a network-based VA. Host-based VAs also focus on configuration and patch updates.
- Application: To detect known software programming bugs or misconfigurations of web service and web or mobile applications.
- Wireless network: To identify vulnerabilities on Wi-Fi networks. This may overlap with network-based VA but wireless network VA usually focus on wireless points of attack, such as wireless access points, infrastructure, and configuration.
How To Do Vulnerability Assessment?
VA may be performed in many different ways, from executing simple scripts that identify a single vulnerability to sophisticated commercial software engines that do mass scans of them. Some open-source or proprietary software engine examples that can be used to perform VA include Nmap, Nikto, Nessus, OpenVAS, and Qualys. Some VA software can provide more comprehensive capabilities such as automated scans and auto-remediation with authenticated user accounts.
VA is best performed in the Reconnaissance phase in penetration testing together with or after Information Gathering. Preferred VA targets are system components that are susceptible to vulnerabilities.
What Is In A Vulnerability Assessment Report?
VA reports need to clearly define in-scope and out-of-scope targets and activity. The basis of a VA report is to help system owners to identify and classify impacted assets and their respective vulnerabilities. The report should also guide the system owner to prioritize remediation and provide instructions for how remediation or risk mitigation is to be done.
Details to be elaborated in the report include but are not limited to the following:
- Summary of vulnerabilities
- Affected components
- Description and evidence of vulnerabilities
- Risk scoring (eg. refer to Common Vulnerability Scoring System — CVSS)
- Remediation recommendations
What Are The Risks In Conducting A Vulnerability Assessment?
Performing VA is not without risk. The following are some potential risks:
- False-positives: A VA alone without validation through exploit can create a false perception of security posture. This wrong conclusion may lead to cybersecurity initiatives that do not address the true problems that an organization faces.
- Denial of Service (DoS): VAs that are performed with automated tools typically generate a surge in network traffic and, in some cases, may potentially create DoS conditions on the target system. Precaution must thus be taken before doing mass vulnerability scanning. The person responsible for the VA is accountable for the size of network traffic generated in the activity.
Summary
A vulnerability assessment is conducted to identify potential bugs or vulnerabilities that can be exploited in a target system. But it is crucial to verify the vulnerabilities picked up by VA software through a penetration test in order to see the actual impact on the system.
In performing the VA, system owners have to carefully scope out what should be tested and must be cognizant of the risks of the VA, in case it is inappropriately performed.
This article was first published here.