Vulnerability assessment is a crucial task that every business should carry out. As businesses become more and more automated and increase their online presence, their cyber-attack surface also grows. To ensure the continued security and safety of your corporate network and its attached assets, routine vulnerability scans should be conducted not only across the network, but on end devices where possible.
Scanning is only half the job, anyone who has ever run a vulnerability/network scan knows all too well the seemingly unending flood of incoming vulnerabilities, and then having to wade through and find those threats that are of actual concern. The process of picking through the parts bin of threats found by a scanner, is the process of vulnerability assessment. As with anything, the efficiency of a process usually determines the quality of the end product. If the vulnerability assessment process of your business is lacking, then key threats may be identified when it's already too late to do anything about it.
Vulnerabilities need to be categorised according to the level of vulnerability and the criticality of device, applications, or environment that is affected; why? Because this way you can prioritise your actions to your greatest business risks.
But what determines the criticality of a device? You can start with rating criticality based on four values:
We incorporate these values into a CMDB, for those who are not familiar with what a CMDB is, think of it as the address book for all devices in your network, and building one is quite simple. Take your scanner of choice and set it to run a host discovery scan on your network, be sure to avoid scanning through firewalls as this will greatly reduce the reliability of your scan results. Your scan will probably provide the hostname, IP address, OS, and OS version of the different devices on your network. We now want to collate all this information into a single spreadsheet, we recommend writing a script that can do all of this for you. Here is an example of what an entry in a CMDB could look like:
|
Hostname |
IP |
OS |
Version |
LOC |
ENV |
APP |
CRIT |
|
SAP1 |
10.1.1.3 |
Windows |
2012 |
DC1 |
PROD |
SAP |
1 |
Once the CMDB is starting to fill out, this is an iterative process so don’t get stuck on trying to identify every device on the network in the first round, we can start to enrich the data. We will need an index file to compare the value of the remaining three attributes, namely Location, Environment, and Application to what their criticality rating is. These index files will rank all possible values between 1 through 10, 10 being the most critical and 1 being the least. Here is an example of what the Environment index file would look like:
|
Environment |
Environment ID |
Environment Crit |
|
Development |
DEV |
2 |
|
Production |
PROD |
10 |
|
Test |
TST |
5 |
|
Standard User |
STDUSR |
2 |
|
VIP User |
VIPUSR |
10 |
Now that we have rated our devices, and have our vulnerability scan results, we can start ranking them. The process is as follows:
This process should be repeated for each entry within the vulnerability scan data file. As the vulnerability scan data file can contain many entries, writing a python script to automate this process will make life a lot easier.
The result is a single file that will contain a list of vulnerabilities that are ranked based on the criticality of devices, the network security team will now be able to determine which vulnerabilities they should remediate first.
The reason why we don’t prioritize vulnerabilities by their CVSS score alone is because the CVSS score does not take into account any business context. For example, it makes more logical sense to remediate a vulnerability with a CVSS score of 7 found on the core switch first, as opposed to a smart fridge that is affected by a vulnerability with a CVSS score of 10, unless you prefer data breaches over sour milk that is.
This is a semi-manual way of building yourself a CMDB, running a vulnerability scan, and using the results to enrich this and deliver a risk-based vulnerability report. There are vendor platforms that can do a lot of this for you, talk to us and we can discuss your options and how to get started.