Let’s imagine you set up a network infrastructure with all its software and hardware resources configured. You are fully aware that it’s not a good strategy to wait until the weaknesses of your network are exploited, the intruders get inside, steal the sensitive information stored on your servers, encrypt your databases, and only then to turn to cybersecurity services, saying "Houston, we have a problem". In this respect, vulnerability assessment becomes a must-do for your network.
In the article, we’ll show you that it’s easier to prevent the problem from occurring than cope with its consequences later, guide you through the whole network vulnerability assessment process, and explain how it is performed.
To be short and to the point, vulnerability assessment is responsible for highlighting security weaknesses in computer systems, applications (web, mobile, etc.), and network infrastructures. It offers an organization a clearer understanding of their network environment and provides the information on the security flaws in it. The primary goal of network vulnerability assessment is to reduce the probability that cybercriminals will find the weaknesses in your network and exploit them, thus causing DDoS or stealing your sensitive data.
Network vulnerability assessment is carried out to superficially identify main problems due to which the organization would not be able, for example, to meet security standards (Health Insurance Portability and Accountability Act (HIPAA) if it concerns the healthcare industry, Payment Card Industry Data Security Standard (PCI DSS) if it concerns banking and finance) and carry out their business operations.
In case no compliance is needed, vulnerability assessment can be performed according to the Open Web Application Security Project (OWASP) classification, which features a list of the most critical types of vulnerabilities.
The tasks of vulnerability assessment are the following:
- Identification, quantification and ranking of vulnerabilities found in network infrastructure, software and hardware systems, applications.
- Explaining the consequences of a hypothetical scenario of the discovered security ‘holes’.
- Developing a strategy to tackle the discovered threats.
- Providing recommendations to improve a company’s security posture and help eliminate security risks.
Once you decide on network vulnerability assessment, you should choose an appropriate method to conduct it. Vulnerability assessment can be conducted according to the white box, black box and gray box methodologies.
The main task a cybersecurity team needs to do when performing black box network vulnerability assessment is to act like real hackers. According to this method, the security team tries to find ways to get into the company’s network ‘from the outside.’ What can they see in this case? Public IP addresses, the external interface of a firewall, systems located in the demilitarized zone (DMZ), etc. No administrator privileges, no access to databases are provided to the ethical hackers.
If the cybersecurity team is to perform white box network vulnerability assessment, they look at the network ‘from the inside,’ having all the privileges of the network authorized users. They can see the entire network with its file servers, databases. The security engineers have administrator access to all the servers inside the network. Their aim is not just to scan the network for vulnerabilities, but also check the security of the configuration of the machines inside the network.
The third option is gray box network vulnerability assessment that encompasses both approaches but is closer to black box vulnerability assessment. Security engineers conduct gray box vulnerability assessment if they get some information on the organization’s network, such as user login details, but they don’t get access to the entire network.
There are pros and cons in each approach. In most organizations, there are more internal resources than those seen ‘from the outside.’ When performing network vulnerability assessment by ‘looking around from the inside,’ ethical hackers have a wider scope for action. However, opting for this approach only, without combining it with black box vulnerability assessment, there will be no possibility to find out which network weaknesses intruders may exploit to get into it.
Vulnerability assessment is performed with automated scanning tools that give the scanning results with the lists of vulnerabilities, usually prioritized by their severity. There are two types of vulnerability assessment tools (scanners) – open source and commercial, which function almost in the same way. Both open source and commercial vulnerability assessment tools work on the basis of checklists with control parameters, for the compliance with which the network is being tested. The choice of the scanning tool type depends on the customer’s needs and their budget.
The key points the two types of network vulnerability assessment tools differ from each other are listed below:
- Licensing. Open source vulnerability assessment tools do not require licensing, unlike commercial ones. When purchasing a commercial scanning tool, a vulnerability assessment vendor pays for software, personnel training, as well as for a license. The license fee runs from a few thousand to tens of thousand dollars. Therefore, it’s obvious that the cost of network vulnerability assessment services may rise enormously for a customer who decides to get such services performed with commercial scanning tools.
- The quality of vulnerability assessment reports. When the scanning is over, security engineers get reports containing the discovered vulnerabilities. Commercial tools provide more informative findings with fewer false-positives (the discovered vulnerabilities that do not actually exist). In case of using open source tools, the security team needs to check vulnerability assessment reports more carefully to reduce the number of false positives.
- The frequency of updates. Commercial tools are updated more frequently than open source ones. When the database of a scanning tool gets updates, the most recently discovered security vulnerabilities are added to it. An updating process of a scanning tool’s database performed regularly significantly enhances the likelihood that the potential vulnerabilities in the company’s network will be identified.
The list of vulnerability assessment tools is quite long. Among the most well-known are OpenVAS, Nessus, Nikto, Wireshark, W3af, BurpSuite, SQLMap, IBM Application Security on Cloud, etc. A more comprehensive list of vulnerability assessment tools is provided here.
There’s also an option for a scanning tool to be integrated as a complementary module into a SIEM system. For example, IBM QRadar SIEM can be complemented with the following vulnerability assessment modules: Risk Manager, Vulnerability Manager and Incident Forensics, which makes it a multi-purpose solution.
To get a clearer understanding of the vulnerability assessment process, let’s consider its stages performed by a cybersecurity team on the basis of the existing case of conducting network vulnerability assessment for a company dealing with cardholder data.
Step 1. Planning and defining the scope
The cybersecurity team identified the way business processes were carried out in the organization and agreed with the customer on the assessment objectives, the scope of work.
The organization needed to detect security issues and execute remedial actions to become PCI DSS compliant. So, the security engineers were tasked with performing vulnerability assessment for the organization’s internal subnetworks.
Step 2. Gathering information on the network infrastructure
The security team gathered information about hardware and software present in the network environment. More specifically, the team defined whether the network had open ports or services that shouldn’t be opened, got the understanding of the software and drivers configurations, learnt whether the logs from the network services are sent to a security information and event management (SIEM) solution. They also identified virtual and physical servers, as well as the security measures that were already in place, such as firewalls and intrusion detection and prevention systems (IPS/IDS).
Such “footprinting” of the network was carried out with the use of automated tools, such as Nmap, a network analysis tool. It allowed to discover the web server version, check the servers to make sure that their ports are operating properly, ping network segments. Thus, the security team scanned target subnetworks to fingerprint running services and operating systems. For that, they sent requests to the hosts (computers or virtual machines) being scanned and analyzed their responses.
Step 3. Scanning, detection and assessment of network vulnerabilities
The security team used automated vulnerability assessment tools for scanning, which was set up for compliance with the PCI DSS.
In order to be PCI DSS compliant, a company had to ensure they maintained the security of their network, a vulnerability management program and an information security policy, protected cardholder data, implemented necessary measures to control access to their network, and monitored the network on a regular basis. PCI DSS implied the necessity to perform vulnerability assessment of outward-facing IP addresses in the network. Firewalls did not protect such IP addresses, so intruders could access the servers through the open ports in the network. Therefore, it was highly important to scan Internet-facing entry points to reveal the security weaknesses in the network.
When the scanning was over, the network vulnerability assessment “draft” results were correlated with versioning and fingerprinting information to better inspect running services. After that, the security engineers carried out manual verification of the scanner results to eliminate the number of false positives.
Step 4. Reporting the final results and identifying countermeasures
The security engineers discovered a number of vulnerabilities in the organization’s subnetworks that could potentially lead to the disclosure of sensitive information and financial losses and affect the organization’s business reputation. The security team provided the organization with a report containing the list of vulnerabilities, mentioning their severity level (low, medium or high) and defining corrective measures to reduce risks. The security engineers paid the customer’s attention to the critical ones that needed to be fixed on a first-priority basis so that the customer became ready for PCI DSS validation.
Among the range of the revealed security weaknesses was, for example, the susceptibility of the assessed network to man-in-the-middle (MiTM) attacks. This type of cybersecurity attacks meant that attackers could eavesdrop on the communication between two legitimately communicating hosts. When successfully carried out, such attacks could allow intruders to obtain sensitive information, such as authentication credentials.
Network vulnerability assessment is usually followed by penetration testing. There’s no use in conducting penetration testing before the discovered vulnerabilities are patched, as the goal of penetration testing is not just trying to get into the network but also examining the network environment ‘with a new set of eyes’ after the improvements are made. Keep in mind that vulnerability assessment and penetration testing are not the equivalents to each other. Although both penetration testing and vulnerability assessment can be black box, white box or grey box, there are significant differences between these two processes. For example, while vulnerability assessment focuses on uncovering as many security weaknesses as possible, penetration test means trying to get inside the network as deep as possible (“the depth over breadth approach”).
When all the steps mentioned above are carried out, the customer gets a final report (a template is available upon request) on vulnerability assessment and penetration testing.
Vulnerability assessment is not a panacea, but it’s one of the main measures designed to prevent networks from being hacked by exploiting vulnerabilities in them since it allows focusing on the critical assets of the network environment and revealing the weaknesses in it.
For a company interested in protecting their security and business reputation, cybersecurity researchers recommend to embrace all the opportunities available to ensure that your network infrastructure is protected properly to resist the intruders’ pressure. Conducting network vulnerability assessment and penetration testing on a regular basis – quarterly or at least once a year – is an indispensable step to become prepared for a range of cybersecurity challenges.