Vulnerability

Assessment/Management
Lifecycle
• A vulnerability is any security weakness in the
structure, function or implementation of a network or asset
that hackers can exploit to harm a company
• Every vulnerability is a risk for organizations. According to
IBM’s X-Force Threat Intelligence Index, vulnerability
exploitation is the second most common cyberattack vector.
X-Force also found that the number of new
vulnerabilities increases every year, with 23,964
recorded in 2022 alone
• The vulnerability assessment/management lifecycle
is a systematic process that organizations use to
identify, prioritize, remediate, and mitigate
vulnerabilities in their IT systems. It's an ongoing
process that helps organizations to continuously
• By adopting the lifecycle, organizations can see some of
the following benefits:
Proactive vulnerability discovery and
resolution: Businesses often don’t know about their
vulnerabilities until hackers have exploited them. The
vulnerability management lifecycle is built around
continuous monitoring so security teams can find
vulnerabilities before adversaries do.
• A typical round of the lifecycle has five stages:
[Link] discovery and vulnerability assessment.
[Link] prioritization.
[Link] resolution.
[Link] and monitoring.
[Link] and improvement.
Stage 0: Planning and prework
• Technically, planning and prework happen before the vulnerability
management lifecycle, hence the “Stage 0” designation. During
this stage, the organization irons out critical details of the
vulnerability management process, including the following:
 Which stakeholders will be involved, and the roles they will
have
 Resources—including people, tools, and funding—available for
vulnerability management
 General guidelines for prioritizing and responding to
vulnerabilities
 Metrics for measuring the program’s success
Stage 1: Asset discovery and vulnerability assessment

• The formal vulnerability management lifecycle begins with an

asset inventory—a catalog of all the hardware and software on
the organization’s network
• Because new assets are regularly added to company networks, the
asset inventory is updated before every round of the
lifecycle. Companies often use software tools like
attack surface management platforms to automate their
inventories
• After identifying assets, the security team assesses them for
vulnerabilities. The team can use a combination of tools and
methods, including automated vulnerability scanners, manual
penetration testing and external threat intelligence from the
cybersecurity community
Stage 1: Asset discovery and vulnerability
assessment
• Today’s most security conscious companies use a combination of the
following for identifying vulnerabilities:
Bug bounty programs (deal between the companies and the engineers)
Internal red/blue teams
Third-party penetration testers
Corporate incentives for engineers to log known vulnerabilities
Stage 2: Vulnerability prioritization
• Evaluate the risk a vulnerability presents to the company. The risk level of a vulnerability
determines the priority required when determining when and in what order to fix
vulnerabilities.
• Prioritization ensures that the team addresses the most critical
vulnerabilities first. This stage also helps the team avoid pouring time
and resources into low-risk vulnerabilities
• To prioritize vulnerabilities, the team considers these criteria:
• Asset criticality: A noncritical vulnerability in a critical asset often
receives higher priority than a critical vulnerability in a less
important asset
• Potential impact: The security team weighs what might happen if
hackers exploited a particular vulnerability, including the effects on
business operations, financial losses and any possibility of legal
action
Stage 2: Vulnerability prioritization
• Likelihood of exploitation: The security team pays
more attention to vulnerabilities with known exploits
that hackers actively use in the wild
• False positives: The security team ensures that
vulnerabilities actually exist before dedicating any
resources to them.
Stage 3: Vulnerability resolution
• The security team works through the list of prioritized
vulnerabilities, from most critical to least critical.
Organizations have three options to address
vulnerabilities:
• Remediation: Fully addressing a vulnerability so it can
no longer be exploited, such as by patching an operating
system bug, fixing a misconfiguration or removing a
vulnerable asset from the network. Remediation isn’t
always feasible. For some vulnerabilities, complete fixes
aren’t available at the time of discovery (e.g.,
zero-day vulnerabilities). For other vulnerabilities,
remediation would be too resource-intensive.
Stage 3: Vulnerability resolution
• Mitigation: Making a vulnerability more difficult to
exploit or lessening the impact of exploitation
without removing the vulnerability entirely. For
example, adding stricter authentication and authorization
measures to a web application would make it harder for
hackers to hijack accounts. Security teams usually choose to
mitigate when remediation is impossible or prohibitively
expensive

• Acceptance: Some vulnerabilities are so low-impact or

unlikely to be exploited that fixing them wouldn’t be
cost-effective. In these cases, the organization can choose
to accept the vulnerability.
Stage 4: Verification and monitoring
• To verify that mitigation and remediation efforts worked as
intended, the security team rescans and retests the assets they
just worked on. These audits have two primary purposes: to
determine if the security team successfully addressed all known
vulnerabilities and ensure that mitigation and remediation didn’t
introduce any new problems.

• As part of this reassessment stage, the security team also

monitors the network more broadly. The team looks for any new
vulnerabilities since the last scan, old mitigations that have
grown obsolete, or other changes that may require action.
All of these findings help inform the next round of the lifecycle
Stage 5: Reporting and
improvement
• The security team documents activity from the most recent round
of the lifecycle, including vulnerabilities found, resolution steps
taken and outcomes. These reports are shared with relevant
stakeholders, including executives, asset owners, compliance
departments and others.
• The security team also reflects on how the most recent round of
the lifecycle went. The team may look at key metrics like mean
time to detect (MTTD), mean time to respond (MTTR), total
number of critical vulnerabilities and vulnerability
recurrence rates. By tracking these metrics over time, the
security team can establish a baseline for the vulnerability
management program’s performance and identify opportunities to
improve the program over time.
 Vulnerability assessment tools
• Cloud-based vulnerability
scanners
• Host-based vulnerability
scanners
• Network-based vulnerability
scanners
• Database-based vulnerability
• Vulnerability assessment tools are designed to
automate the process of identifying security
weaknesses
Cloud-based vulnerability
scanners
Cloud-based vulnerability
scanners
• Cloud-based vulnerability scanners are automated tools that identify weaknesses
and misconfigurations in your cloud environments that could be exploited by
attackers. They offer various advantages over traditional vulnerability scanners,
including:
Scalability: Cloud-based scanners can easily scale to accommodate large and
complex cloud environments.
Ease of use: Cloud-based scanners are typically delivered as a service (SaaS),
which means they are easy to deploy and use without requiring any additional
hardware or software.
Cost-effectiveness: Cloud-based scanners are often more cost-effective than
traditional scanners, as you don't need to invest in upfront hardware or
software costs.
Automatic updates: Cloud-based scanners are automatically updated with the
latest vulnerability information, ensuring that you are always scanning for the
most recent threats.
How does a cloud vulnerability
scanner work?
• The scanner probes into the target system by sending certain
requests and monitors the responses and compares those responses
with details from a vulnerability database. If these responses signal
an anomaly, the scanner flags the issue and reports it.
• It helps you address a number of tricky security-related issues such as
security misconfiguration, unauthorized access, insecure interfaces,
and account hijacking.
Cloud vulnerability scanning in
4 steps
• Planning and scoping the scan:
In this stage, you will need to determine the scope of the scan. This
includes identifying which cloud-based assets need to be scanned and
setting the frequency of scanning.
This step is crucial for cloud vulnerability scans as the policies set by
cloud providers have to be taken into consideration before proceeding
with the scan.
Cloud vulnerability scanning in
4 steps
• Vulnerability scanning:
• In this stage, the scanner will identify vulnerabilities
in your cloud-hosted application.
Cloud vulnerability scanning in
4 steps
• Reporting:
In this stage, companies that provide cloud security
scanners will generate a report that details the
findings of the scan. The vulnerability assessment report
usually includes a list of all the detected vulnerabilities
categorized by severity.
Other than that, the test cases used in the scan are also
mentioned in the report along with some guidance to
fix the issues.
Cloud vulnerability scanning in
4 steps
• Remediation:
Your developers use the suggestions to fix the most
critical vulnerabilities first and work their way down
the list according to priority. With some cloud
vulnerability assessment providers, you can get expert
help from security professionals.
7 features you should look for in
a cloud vulnerability scanner
• Supports GCP, AWS, & Azure
Your scanner should support all the major cloud providers. This
will allow you to scan for vulnerabilities across different cloud
environments and get a comprehensive view of your application’s
security posture.
• Optimized for security policies set by the cloud provider
The cloud provider that you use will have a set of security policies in
place. The scanner should be able to adhere to those policies
so that you don’t have to worry about any compliance issues.
• Scanning in the cloud so as not to stress the servers
Automated vulnerability scanners for the cloud perform the scans in
the cloud. This means that your servers don’t have to bear the brunt
of the scan and can continue working without any hiccups.
7 features you should look for in
a cloud vulnerability scanner
• CI/CD integration and continuous scanning
The scanner should be able to integrate with your
CI/CD (continuous integration and continuous
delivery/deployment) pipeline so that you can automate the
scans. This way, you can ensure that your application is
scanned for vulnerabilities at regular intervals.
• Compliance-specific scans
Depending on the industry that you’re in, you might have to
comply with certain regulations. The cloud vulnerability
scanning tool should be able to perform compliance-specific
scans so that you can be sure that your application is up to
the mark.
7 features you should look for in
a cloud vulnerability scanner
• Detailed reporting with video PoCs
You should get a detailed report that includes all the
information that you need about the vulnerabilities. In addition
to that, the report should also have video PoCs so that
you can see how the exploit works.
• Remediation support
It’s not enough for the cloud security scanner to just identify
the vulnerabilities. The scanner should also provide you
with guidance on how to fix the issues so that you can
remediate them as quickly as possible.
Popular cloud-based vulnerability
scanners:
• Tenable Nessus is a comprehensive vulnerability scanner
that can be used to scan a wide range of assets, including
cloud environments.
• Qualys VM: Qualys VM is a cloud-based vulnerability
management platform that provides a comprehensive set of
features for identifying, prioritizing, and remediating
vulnerabilities in your cloud environments.
• AWS Security Hub: AWS Security Hub is a cloud-based
service that provides a unified view of your security posture
across your AWS environment. Security Hub integrates with a
variety of security tools, including vulnerability scanners, to
provide a comprehensive view of your security risks.
Cloud-based vulnerability scanners:
• Choosing the right cloud-based vulnerability scanner for
your needs will depend on a variety of factors, such as:
Budget
The size and complexity of your cloud environment
 Specific security needs.
Host-based vulnerability
scanners
• Host-based vulnerability scanners are a type of security tool
that scans individual devices (endpoints) for security
weaknesses. These weaknesses, also known as
vulnerabilities, are holes in a system's defenses that
attackers can exploit to gain access to a system or network.
Host-based vulnerability scanners identify these
vulnerabilities and provide information about them, such as
the severity of the vulnerability and how to fix it.
• They can help organizations to identify and fix
vulnerabilities before they can be exploited by attackers.
Examples of host-based
vulnerabilities
• 1. Operating System Vulnerabilities:
 Unpatched OS Kernels and Components: Flaws in the core of the operating system that
haven't been fixed with security updates. These can allow for privilege escalation, remote
code execution, or denial of service.
 Buffer Overflows in OS Services: Vulnerabilities in built-in OS services that can be exploited
to overwrite memory and execute arbitrary code.
• 2. Application Software Vulnerabilities:
 Unpatched Applications: Software applications (web browsers, office suites, media players,
etc.) with known security flaws that haven't been updated.
 Buffer Overflows in Applications: Similar to OS buffer overflows, but occurring within the
memory space of a specific application.
Workflow of host-based
vulnerability scanners
1. Data Collection
2. Vulnerability Matching
3. Analysis and Reporting
Data collection
• The scanner gets installed or deployed on the target
device (server, workstation etc.).
• It then gathers information about the system's:
• Operating System (OS) type and version
• Installed software and their versions
• Security configurations and settings
• Running processes and services
Vulnerability Matching
• The scanner possesses a built-in database of known
vulnerabilities. This database is regularly updated to reflect
the latest threats.
• It compares the collected system data (OS, software,
configurations) against these known vulnerabilities in its
database.
• Any matches between the system's profile and the
vulnerability database indicate a potential security
weakness.
Analysis and Reporting
• Once a potential vulnerability is identified, the scanner
analyzes its severity. This severity rating helps prioritize
which vulnerabilities need to be addressed first (critical,
high, medium, low).
• The scanner then generates a report that details:
• The identified vulnerabilities
• Their severity level
• A description of the vulnerability and how it can be exploited
• Recommendations for remediation (e.g., applying security
patches, updating software)
Deployment Methods:
• Deployment Methods:
• There are two main deployment methods for host-based
scanners:
Agent-based: A lightweight software agent is installed
on the target device. This agent continuously scans the
system and relays data to a central server for analysis
and reporting.
Agentless: The scanner runs on a separate machine and
scans target devices remotely. This method doesn't
require software installation on the target device but
might have limitations in the depth of information it can
gather.
Benefits of Host-based
Vulnerability Scanners:
• In-depth analysis: Provides a more comprehensive view of
a system's security posture compared to network scanners.
• Identification of misconfigurations: Can detect weak
configurations that might not be vulnerabilities themselves
but could be exploited by attackers.
• Improved prioritization: Helps prioritize vulnerabilities
based on severity and potential impact.
Drawbacks
• Resource Consumption: The scanning process
requires processing power and memory, which can slow
down device performance
• Limited Scope: Host-based scanners primarily focus
on vulnerabilities within the scanned device itself. They
might not detect vulnerabilities that arise from
interactions between devices or from network
configuration issues.
• Cost: Some commercial host-based vulnerability
scanners can be expensive, especially for large
organizations needing to scan a high number of devices.
 Examples of host-based vulnerability
scanners:
• OpenVAS:
Free and open-source vulnerability scanner
Popular for its wide range of features and flexibility
Used to scan a variety of devices, including servers,
workstations, and network devices
Has a large community of users and developers, which
means that it is constantly being updated with new features
and vulnerability tests
• Nessus:
Nessus is a commercial vulnerability scanner by Tenable
Powerful and easy-to-use scanner that can identify a wide
range of vulnerabilities
Includes a number of features that can help
Examples of host-based vulnerability scanners:

• Avira Free Antivirus

A free antivirus program that also includes a host-based
vulnerability scanner
Not as powerful as some of the other scanners but it can
be a good option for home users who are looking for a
basic level of vulnerability protection.
Network-based vulnerability
scanners
• Network-based vulnerability scanners, unlike their host-
based counterparts, focus on identifying weaknesses
across a network rather than individual devices. They
act as a digital watchdog, patrolling your network
perimeters to sniff out potential security breaches
Different Scan Types
• External Scans: Simulate an attack from outside the network
perimeter to identify externally accessible vulnerabilities.
• Internal Scans: Performed from within the network to identify
vulnerabilities that could be exploited by internal threats or attackers
who have already gained access.
Examples of network based
vulnerabilities
Protocol Vulnerabilities:
•
 TCP/IP Vulnerabilities:
o SYN Flood Attacks: Exploiting the TCP three-way handshake to overwhelm a
server with connection requests, leading to denial of service (DoS).
o DNS Spoofing: Injecting false DNS records to redirect network traffic to
malicious servers.
 Routing Protocol Vulnerabilities (e.g., BGP, OSPF):
o Route Injection: Attackers injecting false routing information to divert network
traffic through their controlled systems.
 DHCP (Dynamic Host Configuration Protocol) Vulnerabilities:
o DHCP Starvation Attacks: Exhausting the available IP address pool on a DHCP
server, preventing legitimate clients from obtaining addresses.
Examples of network based
vulnerabilities
 Firewall Vulnerabilities:
o Misconfigured Firewall Rules: Allowing unintended traffic or blocking
legitimate traffic.
o Firewall Software Bugs: Flaws in the firewall software that can be exploited
to bypass security controls.
Examples of network based
vulnerabilities
• Wireless Network Vulnerabilities:
 Weak Wi-Fi Encryption (WEP, WPA with known weaknesses): Allowing
attackers to easily intercept and decrypt wireless traffic.
 Rogue Access Points: Unauthorized wireless access points on the network
that can be used to eavesdrop on traffic or launch attacks.
Scanning Techniques:
[Link] Scanning:
• Network scanner sends connection requests to various ports on
each device on your network and analyzes the response it
receives:
Identifying Services: The scanner recognizes the type of
service running on a particular port based on the response it
receives. (e.g., web server on port 80, email server on
port 25).
Vulnerability Assessment: By knowing the service and
its version, the scanner can check its database of known
vulnerabilities. If a specific version of that service has
documented weaknesses, the scanner raises a red flag.
Scanning Techniques:
2. Packet Sniffing:
• They capture data packets flowing between devices on your
network. By analyzing the content of these packets, they
can potentially uncover vulnerabilities:
Protocol Weaknesses: The scanner can identify flaws
in the communication protocols used by applications
or services. For instance, an unencrypted protocol might
expose sensitive information in the packets.
Application Vulnerabilities: In some cases, packets
might contain data that reveals vulnerabilities within
specific applications running on devices.
Scanning Techniques:
[Link] Fingerprinting:
• Network scanners can be like detectives, using techniques to
identify the specific software or service running on a device without
directly asking it. Here's how they achieve this:
Analyzing Communication Patterns: Scanners analyze the
way devices communicate on the network, looking for patterns
specific to known services.
Matching the Fingerprint: By comparing the observed
communication patterns to a database of known service profiles,
the scanner can identify the exact service and its version running
on the device.
Vulnerability Check: Once the service and version are
identified, the scanner can check its vulnerability database to see
if that specific version has known weaknesses.
• Reporting and Remediation:
• Upon identifying vulnerabilities, network scanners
generate reports that detail:
• The affected device or service
• The nature of the vulnerability
• Its severity level (critical, high, medium, low)
• Recommendations for remediation (e.g., patching the service,
reconfiguring firewall rules)
Limitations of a network based
scanner
• Limited Visibility: Network scanners primarily focus on
identifying vulnerabilities at the network layer. They might have
limited visibility into the specific functionalities and potential
vulnerabilities within individual applications running on devices
• False Positives: Misinterpretations can sometimes occur,
leading to false positives. Imagine a scanner mistaking an
encrypted communication for a suspicious activity,
raising an unnecessary alarm. These false positives require
manual investigation to distinguish real threats from benign
network traffic.
• Evasion Techniques: Sophisticated attackers might employ
techniques to escape detection by network scanners.
Benefits of Network-based
Vulnerability Scanners:
• Non-intrusive Scans: They gather information without
requiring installation of any software on target
devices, minimizing disruption.

• Rapid Scans: Network scans can cover a large number of

devices quickly, making them ideal for regular
assessments.

• Identification of Rogue Devices: They can help unearth

unauthorized devices connected to your network.
Examples of Network-based
vulnerability scanners
• Nessus Professional
• OpenVAS : free and opensource
• Nmap (Network Mapper) : free and opensource
• Avira Free Antivirus also includes a network scanner
Database-based vulnerability
scanners
• Database-based vulnerability scanners are a specific
type of security tool that focuses on identifying
weaknesses within databases themselves
Examples of database-based
vulnerabilities:
• SQL Injection: Attackers can manipulate database
queries to gain unauthorized access or data.
• Weak Passwords: Databases with easily guessable or
default passwords are vulnerable to unauthorized access.
• Outdated Software: Using outdated database software
versions can expose systems to known vulnerabilities.
• Misconfigured Permissions: Improperly configured user
permissions can allow unauthorized access to sensitive
data.
Workflow of the database-based
scanner
• Gaining Access
• Fingerprint and Analysis
• Configuration Assessment
• Data Exposure Checks (Optional)
• Reporting and Remediation
1. Gaining Access:
• Unlike network scanners that operate from the outside,
database vulnerability scanners require proper
credentials to connect directly to the database they're
assessing.
• This access allows the scanner to delve deeper into the
database's structure and configuration.
2. Fingerprint and Analysis:
• Once connected, the scanner acts like a database detective. It
employs fingerprinting techniques to identify the specific
database software (e.g., MySQL, Oracle) and its exact
version.
• This fingerprint is then matched against a built-in database of
known vulnerabilities. This database keeps track of security
weaknesses associated with specific software versions.
3. Configuration Assessment:
• The scanner doesn't just focus on the software itself. It
also analyzes the database's configuration settings, like:
User permissions: Are there accounts with
excessive privileges?
Access controls: Are there weak access controls that
could allow unauthorized access?
Encryption protocols: Is the data at rest and in
transit encrypted to prevent unauthorized access?
• Weak configurations that could be exploited by
attackers are flagged as vulnerabilities.
4. Data Exposure Checks (Optional):
• In some instances, the scanner might perform limited queries
to assess the data's sensitivity within the database. This helps
identify potential vulnerabilities related to unauthorized
data access or exposure. It's important to note that these
queries are typically restricted to verify data types and not
intended for extensive data retrieval.
5. Reporting and Remediation:
• After a comprehensive scan, the scanner generates a
detailed report. This report outlines the identified
vulnerabilities, including:
Specific details about the vulnerability and its severity
level (critical, high, medium, low)
Recommendations for remediation steps (e.g.,
applying security patches, adjusting access controls)
Benefits
• Improved Database Security: Early detection and
remediation are paramount in cybersecurity. Database
vulnerability scanners help organizations proactively
identify and address vulnerabilities before attackers can
exploit them
• Reduced Risk of Data Loss: Data breaches can be
devastating for organizations, leading to financial
losses, reputational damage, and regulatory fines.
Database vulnerability scanners help mitigate these
risks by proactively identifying and addressing database
security weaknesses, ultimately reducing the risk of
data loss.
Limitations
• Access Requirements: As they require proper credentials to
connect to the database, scans might necessitate coordination with
database administrators to grant temporary access for the
scanning process.
• Potential Disruption: Depending on the scan type and the
database size, there might be a slight performance impact while
the scan is running.
• False Positives: Like other vulnerability scanners, misinterpretations
can lead to false positives that require manual verification by security
personnel.
• Limited Scope: These scanners primarily focus on the database
itself and might not identify vulnerabilities arising from network security
issues or weaknesses within applications that interact with the database.
Examples of database-based
network scanners
• Qualys Database Vulnerability Management (DBVM):
is a cloud-based solution that offers automated
vulnerability scanning for various database platforms like
MySQL, Oracle, SQL Server, and PostgreSQL.
• Acunetix DB Scanner: Acunetix DB Scanner is a web-
based vulnerability scanner that focuses on identifying
SQL injection vulnerabilities and other security
weaknesses within database
• SolarWinds Database Vulnerability Scanner: cost-
effective
• OpenVAS Scanner with OpenVAS Database Plugin
 Types of Penetration testing

• External Testing
• Internal Testing
• Mobile Application Testing
• Web Application Testing
• SSID or Wireless Testing