In this article of Ethical hacking, we’ll discuss vulnerability identification, what it means, and how best to do it. We will also look at how organizations take the initiative to disclose identified security issues using different approaches. Finally, we discuss one approach that can be used to identify vulnerabilities and different levels of occurrence, impact, and overall risk.
What is vulnerability?
A vulnerability is an error that could compromise the confidentiality, integrity or availability of an information system. Vulnerability identification involves the process of discovering vulnerabilities and documenting them in an inventory in the target environment.
Special care must be taken not to exceed the allowed vulnerability identification targets. If you are not careful, the consequences can follow: for example, a disruption of service, a breach of trust between you and the client, or, worst of all, legal action by the client against you.
In order to identify vulnerabilities, they need to be accurately mapped. There are vulnerability lists that make this easier.
What are vulnerability lists?
The vulnerability list is a documented list of common vulnerabilities. Documented vulnerabilities are typically assigned an identification number, description, and public links. These vulnerabilities have been found to be common and often lead to the exploitation of systems on the Internet.
There are various authentic sources of documented vulnerabilities, including the following:
Databases: These databases contain various information about vulnerabilities. For example, information may include links to a security checklist, security-related software bugs, misconfigurations, product names, and impact metrics. Here are some examples:
NVD by NIST: This is a repository maintained by the US government
CVE: This is managed by MITER Corporation and sponsored by the US DHS
OWASP: OWASP maintains a list of vulnerabilities in a project known as the OWASP Top 10. Here, vulnerabilities are classified based on the frequency of attacks. The list is only updated when OWASP decides it is necessary, often several years between updates
Exploit Database: This exploit database is managed by Offensive Security
Notice to Vendors: Software vendors may issue recommendations on how to address security vulnerabilities with patches that fix these security issues. The following are common vendors that use this approach to highlight security issues:
Microsoft: The Microsoft Security Response Center maintains a comprehensive library of security documents that discuss security issues affecting Microsoft products
Adobe: Adobe maintains a list of security advisories where security issues are addressed and fixes suggested
VMware: Security issues related to VMware virtualization are published here
CIRT Lists and Bulletins: These are groups that handle incidents involving security breaches:
US-CERT: This is the US National Risk Advisor. They are responsible for providing cybersecurity knowledge and advice to ensure better risk management for organizations
SANS CIS Critical Security Controls: SANS provides security controls that help prevent today’s most prevalent cyber attacks
SANS Internet Storm Center: This is a security bulletin that frequently discusses security-related topics, especially those that are currently popular.
What tools can be used to identify vulnerabilities in Ethical hacking?
Over the years of Ethical hacking, security researchers and vendors have tried to make the process of identifying vulnerabilities as simple and fast as possible. This was made possible by developing and contributing to projects such as the Kali Linux project, which involves the integration of multiple security tools into a security operating system. This Linux operating system includes tools for various security tasks such as vulnerability identification.
Below are some tools for identifying vulnerabilities in the Kali Linux operating system:
- Nessus Vulnerability Scanner: This is one of the common vulnerability scanners available today that can identify vulnerabilities in web applications and on multiple systems.
- OpenVAS Vulnerability Scanner: This is a network vulnerability scanner capable of identifying vulnerabilities present on networked devices.
- Nikto Vulnerability Scanner: This is a web server vulnerability scanner that can identify vulnerabilities on web servers.
- Nmap Vulnerability Scanner: This is perhaps the most well-known vulnerability scanner for hackers today. It is able to identify a number of vulnerabilities across multiple targets in Ethical hacking.
- Wapiti Vulnerability Scanner: This is a web application vulnerability scanner that can identify issues related to web applications such as SQLi and XSS.
- These tools allow security testers to identify pools of information from a system and then cross-check that information for vulnerabilities. The information checked can vary from operating system version to patch level, software version and so on. Here’s a good overview of a few tools we’ve used to implement vulnerability mapping with Kali Linux.
Before performing a scan with these tools, it is important to note the amount of resources that will be consumed. For example, if the target system will consume a large amount of resources, this should be considered in advance.
How is vulnerability identification achieved?
In order to correctly identify and classify a vulnerability, a number of considerations must be taken into account. First, the scan will start; upon completion, vulnerabilities are issued with industry standard identifiers such as CVE numbers, EDB-IDs, and vendor notices. These identifiers, combined with CVSS vulnerability scores, can be used to calculate a risk score.
Penetration testers typically consider a scan risk assessment to understand the security posture of the environment. However, the results are usually general and may vary as shown below:
True positive: They confirm that a vulnerability has been identified
False positive: Even if a vulnerability is found, the problem is not a real vulnerability
True negative: In this case, the vulnerability was not found because the signature did not match
False negatives: In this case, the signature does not match; however, the vulnerability exists
Since there is no universally defined risk assessment that is agreed upon, we recommend that you use NIST Special Publication 800-30 as the basis for evaluating your risk assessment. NIST approaches the actual risk of a vulnerability as a combination of probability of occurrence and potential impact. Let’s discuss this approach below Ethical hacking options:
Probability of occurrence: NIST approaches probability of occurrence as the probability that a particular threat will be able to exploit a vulnerability. Rating here
will vary from low to medium and high. The three levels are as follows:
High: This means that the attacker is highly skilled and motivated, and the measures in place are not sufficient to prevent the attack.
Moderate: This means that the attacker is highly skilled and motivated, and the measures in place are somehow capable of thwarting the attack.
Low: This means the attacker is less skilled and lacks sufficient motivation to carry out a successful attack. Also, that the measures in place are effective
Impact: To understand impact, we need to determine the extent of damage that can be done if the vulnerability in question is exploited. The following is an analysis of possible impact levels:
High: A successful exploit could result in reputational damage to the organization, financial loss, or even worse, loss of life.
Medium: A successful exploit could result in reputational damage to the organization, financial loss, and more, but with less lethal stakes than the “high” list above.
Low: If an exploit in this category is successful, it may result in some financial or reputational loss, but with lower stakes
Overall risk: The overall risk rating is calculated taking into account the probability of occurrence and the level of impact. There are also three levels as shown below Ethical hacking:
High: This requires additional measures to be put in place to protect against the vulnerability in question. This is often urgent and requires timely action
Medium: This also requires additional measures to be in place to protect against the vulnerability in question. While the risks in this category are often time-dependent, they are not necessarily as critical as those above
Low: This requires additional measures to be put in place to protect against the vulnerability in question. However, the system can be left unchanged and still work
While vulnerabilities can be identified and classified as mentioned above, it is possible and usually common for organizations to accept the risk and agree to allow systems with known vulnerabilities to operate. This can be true for many reasons, including a lack of budget to carry out system upgrades that require expensive upgrades.
Why should vulnerability identification be done?
Without vulnerability identification, it would be impossible to determine what vulnerabilities exist in the network. Being paranoid that there might be a vulnerability in your network is very important in Ethical hacking.
In a story on TechSoup for Libraries, Claire Stafford shares her concerns about security at Madelyn Helling Library, CA. He says: “The problem we have is that we have the public accessing the internet on a network that has to be secured because of the nature of some of the county’s businesses. We don’t know of any security breaches, but the potential is there. So the head of our county IS department requested that our public computers be moved off the county network. So we are in the process of switching to a cable modem system. Both our wireless and our public computers will work directly through Comcast [Ethical hacking].”
In this article of Ethical hacking we have discussed about vulnerability identification. We looked at vulnerability identification checklists, several vulnerability assessment tools, and even discussed the approach NIST uses to identify and classify vulnerabilities and their impact. Vulnerability identification is an important security exercise to help secure your environment.
Sources of Ethical hacking
- Vulnerability Identification, Hacking the Universe
- Continuous Vulnerability Identification, CI Security
- Stories from the Field, TechSoup for Libraries