What is Vulnerability Assessment?
What Is Vulnerability Assessment?
Vulnerability assessment is a systematic evaluation process of identifying and rating the weaknesses on a network or system, which is an essential part of cyber security. It includes detecting possible threats to the system and making a risk analysis taking into account the impact of these threats on the network.
Before going into details, let’s discuss some of the keywords/concepts we are going to talk about in this article.
Vulnerability: Vulnerability is a weakness on a network or system that can be exploited by threat actors in various cyberattacks.
Threat Actor: Individuals or groups that try to cause damage to a target system intentionally. This includes stealing sensitive information, breaking systems, manipulating configurations etc.
Severity: An indicator that decides how dangerous impact a vulnerability can cause.
Types of Vulnerability
One of the most important steps when dealing with vulnerabilities is being able to identify them. You must know what type is vulnerability exists in your system before proceeding to the solution.
Actually there is a project named CVE (Common Vulnerabilities and Exposures )that aims to provide a list of publicly known information-security vulnerabilities and exposures by their ID’s.
The CVE program is overseen by the MITRE corporation with funding from the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security.
CVE entries are brief. They don’t include technical data, or information about risks, impacts, and fixes. Those details appear in other databases, including the U.S. National Vulnerability Database (NVD), the CERT/CC Vulnerability Notes Database, and various lists maintained by vendors and other organizations.
Across these different systems, CVE IDs give users a reliable way to recognize unique vulnerabilities and coordinate the development of security tools and solutions. The MITRE corporation maintains the CVE List, but a security flaw that becomes a CVE entry is often submitted by organizations and members of the open source community. — From redhat.com
Let’s take a look at the most commont vulnerability types below.
Zero Day
Zero-day vulnerability occurs when the vulnerability is discovered and exploited by attackers before the developers or IT team realizes the weakness. It is called a zero-day, because the team just found about of the problem and has “zero days” to release a patch.
In April 2020, users reported zero-day attacks regarding the Sophos XG firewall. Cybercriminals were able to exploit a SQL injection vulnerability (CVE-2020–12271), attacking the built-in PostgreSQL database server of the firewall.
If effectively exploited, attackers could use this vulnerability to inject code into the database. Using this code, they could then change firewall settings, allowing the installation of malware or providing access to corporate systems connected to the firewall. — cynet.com
Zero-day vulnerabilities pose a significant risk since the makers of the system doesn’t have enough time to fix the issue most of the time, making it difficult to defend against this threat. They might even not be able to detect the problem before a malicious activity occurs.
Insider Threats
This is perhaps one of the most costly and difficult to prevent vulnerabilities, because it highly includes human factor. It refers to employees, customers, or business partners intentionally or accidentally harming the system or network.
According to research, the human element is responsible for 95% of all cybersecurity incidents.
Normally, you design your system in such a way that it prevents unnecessary privileges, keep authentication mechanisms strong etc. But it might be difficult to control a privileged personnel or an employee who lacks security awareness and couldn’t handle sensitive information about the company. These internal threats can sometimes be more dangerous than external ones.
Remote Code Execution (RCE)
An attacker can run malicious code on a target system thanks to an RCE vulnerability. The attacker may be able to steal sensitive information, spread malware, or carry out other harmful acts on the machine with the help of this code execution.
This mostly occurs when an external input is injected to a file or string and evaluated by the programming language’s parser.
Let’s continue with an example. Consider the following PHP code:
$user_input = $_GET['data']; // Assuming user_input is coming from a URL parameter
// Unsafe usage of eval() with user-controlled input
eval("\$result = $user_input;");
echo "Result: " . $result;Now, imagine an attacker uses a URL like this:
http://example.com/script.php?data=phpinfo();When the PHP script is executed with the provided URL, the value of $_GET['data'] will be set to phpinfo();. As a result, the eval() function will execute the following code:
$result = phpinfo();A built-in PHP function phpinfo() will be called and and it will display some detailed PHP configuration information in the output.
As you can see the attacker successfully injected and executed an arbitrary command using RCE vulnerability.
Insecure Direct Object References
Insecure Direct Object Reference (IDOR) is one of the security vulnerabilities commonly seen in web applications and used by attackers to infiltrate the system.
When a website is visited, the applications in its content are accessed through objects. This vulnerability occurs when a user can access or manipulate resources directly by modifying parameters. This includes IDs and filenames.
Let’s consider an example below.
Suppose in our web application we allow users to view their own profile information by visiting a URL like this:
http://example.com/profile?user_id=123user_id=123 parameter is used to retrieve the profile information of user with the id “123"in our case. The thing is, we want users to be able to access only their profiles, not anyone else’s. But in this example anyone can access other people’s information by changing the parameter.
For example, when you type “345” instead of “123” as a parameter, profile information of user “345" will be displayed, and that is something we do not want to happen.
This is an example of IDOR vulnerability, caused by wrong authorization.
To fix this, we can modify our application to perform access validation on the to verify if the currently logged-in user has the permission to access the requested profile.
Cross-Site Scripting (XSS)
Xss (Cross-Site Scripting) is one of the most common types of vulnerabilities and can appear in many scenarios. This vulnerability allows an attacker to inject malicious code (mostly Javascript) on the target host’s browser and execute.
It is a vulnerability that is based on making sure that malicious code is running on the browser side as a result of insufficient control of the data coming from the user, while allowing this malicious code to run while users are using the application. Unlike Remote Code Execution (RCE) attacks, the code is run within a user’s browser. Upon initial injection, the site typically isn’t fully controlled by the attacker.
Let’s examine an example below.
Let’s think of a website that has a comment section where visitors can post messages that are visible to other visitors. Before displaying on the page, the comments are not properly escaped or sanitized. The website displays comments like this:
<div class="comment">
<span class="username">JohnDoe:</span>
<span class="message">I love this website!</span>
</div>An attacker can create a malicious comment to take advantage of the XSS flaw. For instance, the attacker posts the comment below:
<div class="comment">
<span class="username">JohnDoe:</span>
<span class="message"><script>alert('XSS Attack!');</script></span>
</div>The JavaScript code contained in the <script> tags will be run on the browser side when this comment is displayed. In this instance, it will send out a JavaScript alert saying, “XSS Attack!”
Misconfiguration
A security misconfiguration occurs when services are delivered with unsafe default settings or when security options are not configured in a way that enhances security. Any computing system, software program, cloud service, and network infrastructure are all susceptible to this.
This might include allowing default credentials, incorrect file permissions, lack of HTTPS, running outdated software, running unnecessary services etc.
Of course many other types of vulnerability can be also mentioned. I wanted to give a brief overview of the most common ones in the article. Now we can continue with the types of vulnerability assessment.
Types of Vulnerability Assessments
Now after gaining a general understanding of vulnerabilities and their types, we can dig into how vulnerability assessments are categorized. Remember that the main idea of vulnerability assessment is to identify weaknesses in a system or network’s infrastructure, trying to understand how can it be exploited by malicious actors.
Network-Based Vulnerability Assessment
A network vulnerability assessment is a method in network security that helps businesses in identifying, quantifying, and prioritizing risks and vulnerabilities in their network architecture that may be exploited maliciously.
Application-Based Vulnerability Assessment
It refers to a group of vulnerability in web applications, mobile applications, and desktop applications.
Most common vulnerabilities in such systems are SQL Injection, cross-site scripting, cross-site request forgery.
API-Based Vulnerability Assessment
Even though your base system is well-protected against cyber threats and it’s secure, one of the API’s you use might contain weaknesses in its design, implementation, and deployment. The purpose in API-based vulnerability assessment is to ensure that the API is secure, reliable, and resilient to attacks.
Database Vulnerability Assessment
The Database Security Assessment is a method of identifying vulnerabilities or flaws in database systems such as Oracle, Microsoft SQL, MySQL, Postgres, and others. The first risk factor is determined by assessing a database’s sensitivity to a set of known vulnerabilities and attack scenarios.
This vulnerability might be the result of a configuration error, such as a lack of a database password policy; misconfiguration of essential files, such as listener or audit trail configuration; or a privilege management problem, such as public access to a sensitive table.
Host-Based Vulnerability Assessment
A host-based vulnerability assessment detects flaws in specific host systems such as servers, workstations, and laptop computers.
The evaluation assists in identifying suspicious inner activity and detecting attackers who have already penetrated the system. As a result, the Host-based Assessment adds an extra layer of protection to help prevent internal abuse or external attackers from compromising security and accessing information.
Now, at this point we learned what are the main vulnerability types you can came across in the wild and how do we categorize vulnerability assessment types. Let’s take a look at the assessment methodology and common tools.
Vulnerability Assessment Methodology
To perform a healthy assessment about weaknesses in our system, we have to follow a systematic and controlled way.
If we analyze vulnerability assessment in four stages, they are testing, analysis, evaluation and improvement.
1. Vulnerability Identification
The purpose of this phase is to build a complete list of an application’s vulnerabilities. Security analysts examine the security of apps, servers, and other systems using automated techniques or manually testing and analyzing them. To detect security flaws, analysts also depend on vulnerability databases, vendor vulnerability notifications, asset management systems, and threat intelligence streams.
2. Vulnerability analysis
At this step, the source and origin of the vulnerabilities identified in the previous step are determined. We try to find out which components of the system are responsible for specified security gaps. For example, a vulnerability may be caused by an outdated library version.
Purpose of this phase is to determine actual reasons behind weaknesses and provide a roadmap to make proper corrections. This way, we can take appropriate action to fix security vulnerabilities and prevent similar issues in the future.
3. Risk assessment
As we discussed previously not every vulnerability pose the same threat to the system. To handle identified vulnerabilities correctly first we must prioritize them, assigning a rank or severity score to each vulnerability based on some factors. Here are some factors below that can be used to prioritize vulnerabilities.
- Which systems are affected?
- Affected user base
- What information is at risk?
- Ease of Exploitation
- Publicly Known or Actively Exploited
- Potential Damage
- Impact on Critical Systems
Using these factors an organization can effectively prioritize their efforts and focus on the most critical security risks first.
4. Remediation
This is where we take action to close security gaps using the information we obtained in previous phases. Security professionals determine the most effective mitigation strategy for each identified vulnerability. Here some possible remediation actions listed below.
- Updating Software and Libraries
- Reconfiguration
- Implementing new security procedures
- Conducting Security and Awareness Training
- Disabling Unused Services
Next step is reporting the results.
5. Reporting Results
After we are done with remediation, we must collect findings and outcomes of the previous phases in a clear and concise document.
The main purpose of reporting is to provide reliable information clearly outlining the efficacy of the system and offering viable solutions if the existing security measure appears ineffective.
Here you can examine an example network vulnerability assessment report below.
Assessment Tools
Besides manually testing for vulnerabilities, various tools are often used to automatically scan possible threats. Let’s take a look at some of them briefly.
Network Vulnerability Scanners: As its name suggests, they are designed to scan and find vulnerabilities in network components like routers, switches, firewalls, and servers. For example Nessus and OpenVAS are good examples of network vulnerability scanners.
Web Application Scanners: They focus on detecting vulnerabilities in web applications, including web servers, web frameworks and any kind of custom web applications. The most common types these scanners are dealing with are SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). Acunetix and Netsparker are examples of web application scanners.
Cloud-based Vulnerability Management: Cloud vulnerability scanners search for weaknesses in a company’s cloud infrastructure. They can scan virtual machines, containers, and cloud services for security issues. Tenable is an example of cloud-based vulnerability management tool.
Conclusion
To sum up, vulnerability assessment is an essential method in cybersecurity consisting of many different components and processes. It aims to determine and fill any kind of security holes in a system, ranking them according to their severity. While doing this, it follows a systematic and comprehensive attitude.
In this article, I have explained some of the key terms of vulnerability assessment, including its definition, purpose, and methodology. I have mentioned various tools used in assessment and giving examples for each.
Thanks for reading.