Articles

Tech Track: Vulnerability Assessments with Hasan

Written by Hasan Karabork | Mar 8, 2024 12:44:00 AM

Vulnerability assessment is a crucial task that every business should carry out. As businesses become more and more automated and increase their online presence, their cyber-attack surface also grows. To ensure the continued security and safety of your corporate network and its attached assets, routine vulnerability scans should be conducted not only across the network, but on end devices where possible. 

Scanning is only half the job, anyone who has ever run a vulnerability/network scan knows all too well the seemingly unending flood of incoming vulnerabilities, and then having to wade through and find those threats that are of actual concern. The process of picking through the parts bin of threats found by a scanner, is the process of vulnerability assessment. As with anything, the efficiency of a process usually determines the quality of the end product. If the vulnerability assessment process of your business is lacking, then key threats may be identified when it's already too late to do anything about it.  

Vulnerabilities need to be categorised according to the level of vulnerability and the criticality of device, applications, or environment that is affected; why? Because this way you can prioritise your actions to your greatest business risks.  

But what determines the criticality of a device? You can start with rating criticality based on four values: 

  • Location – Is the device located in your data centre, a branch
    office or somewhere else? 
  • Environment – is this device in your production environment or only
    used in the test environment? 
  • Application – is this device running, in whole or in part, an application
    that is critical to business function? 
  • Device criticality – how important is the device itself, is it a core
    router, firewall, or some IoT device? 

We incorporate these values into a CMDB, for those who are not familiar with what a CMDB is, think of it as the address book for all devices in your network, and building one is quite simple. Take your scanner of choice and set it to run a host discovery scan on your network, be sure to avoid scanning through firewalls as this will greatly reduce the reliability of your scan results. Your scan will probably provide the hostname, IP address, OS, and OS version of the different devices on your network. We now want to collate all this information into a single spreadsheet, we recommend writing a script that can do all of this for you. Here is an example of what an entry in a CMDB could look like:  

 

Hostname 

IP 

OS 

Version 

LOC 

ENV 

APP 

CRIT 

SAP1 

10.1.1.3 

Windows 

2012 

DC1 

PROD 

SAP 

1 

 

Once the CMDB is starting to fill out, this is an iterative process so don’t get stuck on trying to identify every device on the network in the first round, we can start to enrich the data. We will need an index file to compare the value of the remaining three attributes, namely Location, Environment, and Application to what their criticality rating is. These index files will rank all possible values between 1 through 10, 10 being the most critical and 1 being the least. Here is an example of what the Environment index file would look like:

 

Environment 

Environment ID 

Environment Crit 

Development 

DEV 

2 

Production 

PROD 

10 

Test 

TST 

5 

Standard User 

STDUSR 

2 

VIP User 

VIPUSR 

10 

 

Now that we have rated our devices, and have our vulnerability scan results, we can start ranking them. The process is as follows: 

  1. Take either the hostname or IP address of the affected device from an entry in the vulnerability scan data. 
  2. Locate that device within the CMDB. 
  3. Multiply all the criticality values together to produce a total criticality value. 
  4. Multiply the total criticality value against the CVSS score of the vulnerability found to produce a total vulnerability rating. 
  5. Rank the total vulnerability rating.

This process should be repeated for each entry within the vulnerability scan data file. As the vulnerability scan data file can contain many entries, writing a python script to automate this process will make life a lot easier. 

The result is a single file that will contain a list of vulnerabilities that are ranked based on the criticality of devices, the network security team will now be able to determine which vulnerabilities they should remediate first. 

The reason why we don’t prioritize vulnerabilities by their CVSS score alone is because the CVSS score does not take into account any business context. For example, it makes more logical sense to remediate a vulnerability with a CVSS score of 7 found on the core switch first, as opposed to a smart fridge that is affected by a vulnerability with a CVSS score of 10, unless you prefer data breaches over sour milk that is.   

This is a semi-manual way of building yourself a CMDB, running a vulnerability scan, and using the results to enrich this and deliver a risk-based vulnerability report. There are vendor platforms that can do a lot of this for you, talk to us and we can discuss your options and how to get started.