1.3 Given a scenario, perform vulnerability management activities

  • Vulnerability identification:

  • Asset criticality: impact if CIA was breached; sensitivity of data & business criticality

  • Active vs passive scanning: interact with targets VS use stored data to find info/identify targets

  • Mapping/enumeration: host/asset/network/infrastructure/systems discovery/mapping

  • Validation:

    • True positive: scanner correctly identifies existing vulnerability

    • False positive: reported vulnerability that doesn't exist (verify patch/versions, or attempt actual attack)

    • True negative: scanner correctly doesn't alert on non-existent vulnerability

    • False negative: scanner alerts on non-existent vulnerability

  • Remediation/mitigation:

    • Configuration baseline: perform anomaly analysis; provides info on OS/apps

    • Patching: maintain current security patch levels on OS/apps (with e.g. SCCM)

    • Hardening: disable unnecessary ports/services, centralised control, secure config etc.

    • Compensating controls: when system can't be upgraded/patched; isolate and place compensating controls in front

    • Risk acceptance: don't take any action against risk (low risk; ALE < mitigation cost)

    • Verification of mitigation: audits (formal), assessments (informal), patch levels, repeated vulnerability scanning

  • Scanning parameters and criteria:

    • Risks associated with scanning activities: scans consume bandwidth and resources, and risk business process interruptions (tune intensity & scan times)

    • Vulnerability feed: SCAP (e.g. CCE [config], CPE [product names], CVE [vulnerabilities], CVSS [severity], XCCDF [checklist results], OVAL [testing procedures used by checklists])

    • Scope: extent of scan (included systems/networks; host discovery methods; what tests will be conducted against active hosts)

    • Credentialed vs non-credentialed: can confirm an issue by accessing OS/database/app info VS chance of false positives/negatives

    • Server-based vs agent-based: central server remotely scans hosts VS agent installed on targets perform internal scans and report back to the server

    • Internal vs external: gives different perspectives; insider threat vs external attacker

    • Special considerations:

      • Types of data: health, financial, PII etc.; data classification

      • Technical constraints: capabilities of the scanning system => frequency limitations

      • Workflow: remediation workflow (detection -> remediation -> testing);

      • Sensitivity levels: minimum severity rating (low, medium, high, critical)

      • Regulatory requirements: PCI DSS (internal & external; at least quarterly by qualified professional or ASV); FISMA (updated scanning tools, update vulnerability list before /after scan, some authenticated scans, determine discoverable info and correct them)

      • Segmentation: compliance networks can be segmented to reduce scan scope

      • IPS, IDS, and firewall settings: internal = insider threat; external = external attack

  • Inhibitors to remediation:

    • MOU: non-legally binding; customer must participate in including scanning in MOU

    • SLA: customer expectations of security, performance & uptime

    • Organisational governance: may block config changes needed for scanning; limited resources and support

    • Business process interruption: taking down systems can cause significant interruption

    • Degrading functionality: service degradation can lead to business process interruption

    • Legacy systems: EoL unsupported systems don't get security updates

    • Proprietary systems: different vendors; some vendors will not have patches/updates

Previous1.2 Given a scenario, utilise threat intelligence to support organisational securityNext1.4 Given a scenario, analyse the output from common vulnerability assessment tools

Last updated