Vulnerability Management

Introduction

Cybersecurity is defined as the protection of privacy, integrity, and accessibility of data in cyberspace by ISO/IEC 27032 (International Organization for Standardization / the International Electrotechnical Commission) (https://www. iso27001security.com/html/27032. html 2020a). It is a set of practices and tools that are designed to protect confidential information from unauthorized users' access. This unauthorized access can take place through different forms over the network. As a significant amount of data is stored in the systems of the organizations, in sectors like the military, finance, corporate, and medical areas, it is very important to safeguard the data. Vulnerability is the term used in cybersecurity, which refers to a flaw in the system that may lead to an open attack. It is also referred to as a glitch, which a system might encounter and which results in a threat. Bugs in software development are one of the main reasons for a vulnerability to occur, which leads to many kinds of information exploitation. These vulnerabilities are hidden objects, which cannot be traced very easily. But when encountered, vulnerabilities create great exploitation.

In this chapter, we will discuss vulnerabilities, the reasons for vulnerabilities, and vulnerability management. We will also discuss the tools used for vulnerability management and a case study.

Background

In recent times, with the increase in technology, a huge number of vulnerabilities also came into existence. Zhang et al. (2011a) reported that software vulnerabilities are a major cause of security problems. The National Vulnerability Database (NVD) maintains a huge database of all the vulnerabilities from its inception in 1997. More than 43,000 vulnerabilities have been identified. This database would help in predicting the vulnerabilities. However, the rising vulnerability statistics demands multidimensional threat detection techniques (Tripathi and Singh 2011).

Ali et al. (2012) reported that the Common Vulnerability Scoring System (CVSS) scores each vulnerability found and provides a detailed description of those security

vulnerabilities. Peter Mell et al. (2007) discussed that the CVSS provides an open framework for identifying the characteristics and impacts of software vulnerabilities. Zhang et al. (2011b) stated that Information Technology Laboratory (ITL )bulletin reports and the CVSS can take necessary actions to improve the security of their systems.

Hyunchul Joh (IEEE 2012) reported that vulnerability that has been discovered but is unpatched represents a security risk to a system. The CVSS metrics can be used to evaluate the impact of the breach. According to Gonda et al. (2018), attack graphs are one of the best tools for analyzing vulnerability. Assessing the potential risk associated with network assets exposed to attack by vulnerabilities can be done by fuzzy rules for the vulnerability. Dondo (2008) prescribes that most organizations use traditional vulnerability management techniques, but there is a necessity to scan the remote devices attached.

Automation always shows greater advancement than the traditional manual techniques (Williams and Nicollet 2020). Edwards, Chandra Estelle (2020) reported that this helps to prioritize the critical risks. The impact of potential risks is also to be identified. To gain effective security, the remedial action should also be incorporated into all the security controls. As Njogu et al. (2013) state, making the patch available to the network is one of the best solutions provided. Nanda and Ghugar (2017) reported that to deal with the latest vulnerabilities, a sophisticated vulnerability management technique should be incorporated by organizations. The discussions on vulnerability management and how it can be enhanced to provide a great security mechanism are always ongoing in research. [1] [2]

Areas of Risk

With growing technology, every business has started communicating with its clients over the network. The exchange of information should be done with high-level security encryptions ensuring proper data security. Viruses and worms often intervene in the network connections, leading to information thefts and disrupting the network connections. Every business that uses the network, be it small scale, large scale, a multinational corporation, or a government organization, is often at risk of vulnerabilities.

The solution to all these vulnerabilities is to have a good vulnerability management mechanism to be followed within the organizations.

Why Is Software Vulnerable?

In a nutshell, software is vulnerable due to inevitable human errors. Software from the '90s did not have security measures for heap flows and format string errors. Nowadays, though, the vendors are capable of understanding and handling bugs heavy expenditure, have become a major criterion for system maintenance.

Another reason for vulnerabilities is poor code review and testing strategies. An example of this would be testing in an environment which has anti-virus or systems with highly secured encryptions. However, in reality, when an application is deployed to the end-user, it may be within a less secure system, due to which the data is lost or other different kinds of threats occur. Hence, the testing should be done on systems with the basic configurations of the end-user.

Security applications such as firewalls and anti-virus need to be properly configured. Any flaw in the installation process leads to failure in the security mechanism. The usage of a virtual private network (VPN) is also another major constraint on vulnerabilities occurring. Compromising the security mechanisms for other uses is also a breach of vulnerabilities. Many vulnerabilities are easy to detect and fix. The vendors release new patches for the software that helps to fix the threats. A good vulnerability management system helps organizations to reduce the risk of threats (Qualys 2008).

Vulnerability Management

The main objective of vulnerability management is to detect and remediate vulnerabilities in a timely fashion (Qualys 2008). Vulnerability management is defined as managing the occurrence of attacks by the process of identifying, evaluating, treating, and reporting on vulnerabilities in systems. As shown in Figure 2.1, vulnerability management can be categorized into four phases (ISO 2020b).

  • • Identifying/discovering vulnerabilities.
  • • Assessing vulnerabilities.
  • • Reporting.
  • • Remediating and Verifying.

FIGURE 2.1

Vulnerability management cycle.

Discovering Vulnerabilities

This is the first phase of vulnerability management where the initial discovery of threats is done. This can be further divided into two parts.

2.6.1.1 Identifying the Types of Attacks

Based on the type of attack on the system, we can identify the type of vulnerability. For example, if there is frequent leakage of data it can be considered a "man in the middle" attack, which relates to IP spoofing attack. Another example is that if there is a frequent change in the database of the organization, we can identify it as an SQL injection attack. If the user's credentials are compromised, we can consider it to be a phishing attack. Table 2.1 illustrates the different attacks and the type of vulnerability. Table 2.1 also gives a few examples of what kind of attack may be possible based on the area of the system that is affected. With the growing technologies, many vulnerabilities are possible and are gradually increasing day by day.

TABLE 2.1

Types of Attacks

S. No

Types of Attacks

How Does the Attack Affect the System?

1

Man in the middle attack

Data leakage over the network

2

SQL injection attack

Frequent change in the organization's database

3

Phishing attack

The users' data is compromised

4

Cross-site request forgery

Data theft by clicking on similar kind of URL

5

Path traversal or directory traversal

Data in the folder and directory are compromised

2.6.1.2 Inventory of Assets

Maintaining a detailed list of all the assets is a critical step. Assets include both the unauthorized and authorized hardware as well as software assets. After gathering the full list of vulnerabilities, the organization's hardware assets inventory, such as the ports, networks, systems, network Maps, LANs, and router details, are identified as shown in Figure 2.2.

The software assets include the type of software used, its versions, patches, packages, the type of databases used and its hierarchical architecture, etc. It is always best practice to keep a team of two or three to gather all these details and maintain an inventory so that it could be helpful for future phases of vulnerability management. Whenever a new asset is incorporated, it should be maintained in the inventory list.

Figure 2.2 includes laptops, personal computers, mobile devices, servers, routers, switches, hubs, I/О devices, etc. Each of them is identified as a node and these will undergo rigorous penetration testing to check which part of the network is the root cause of the vulnerabilities.

Assessing Vulnerabilities

Once all the vulnerabilities and assets are known, the next phase is to efficiently assess the vulnerabilities. This phase is also known as vulnerability analysis (VA), which defines, identifies, and classifies the security vulnerabilities in a network. The key component of this assessment is to find the rating of the loss incurred by the threat/vulnerability. Based on the rating values, the vulnerabilities are prioritized.

Types of vulnerability assessment:

  • • In active assessment, with the help of any network scanner, the network is scanned to find the hosts and vulnerabilities.
  • Passive assessment finds the active systems, hosts, and services. The network traffic is sniffed and this process is called passive assessment.
  • • In host-based assessment, the configuration check is done.

FIGURE 2.2

Hardware assets.

FIGURE 2.3

Assessment levels.

  • Internal assessment finds out the vulnerabilities in the internal infrastructure of the network.
  • External assessment assesses the network from a hacker's point of view and finds out what could be exploited.
  • Application assessment tests the web infrastructure to find any outdated data.
  • Wireless network assessment determines the track of all the wireless connectivity over the network.

As shown in Figure 2.3, vulnerability assessment is performed at three different levels:

1. pre-assessment level, 2. assessment level, and 3. post-assessment phase.

At the first level, i.e., in the pre-assessment level stage of the assessment, the procedure for planning and ranking the assets is done. At the second level, the network architecture, threat environment, physical assets analysis, policies, and procedures are observed. Finally, at the post-assessment level, the priorities are made and an action plan is jotted down for conducting the next phases. In this analysis phase, the list of areas where the penetration testing is to be done is identified, like the nodes in the network map to trace the vulnerabilities.

What should be scanned?

The answer to this is all the network devices that are connected to the organization's internal and external networks (Qualys 2008).

  • • Operating systems
  • • Web servers
  • • Servers
  • • Firewalls
  • • Databases
  • • Load balancing servers
  • • Switches and hubs
  • • Access points

Classifying and ranking the risks

  • Crucial: The exploitation of the vulnerability is done without any human action.
  • Influential: The exploitation of the vulnerability could result in data loss and influence the integrity, confidentiality, and availability of the user's data.
  • Medium: The exploitation is serious, but the intensity is reduced by user action.
  • Low: The impact of exploitation is minimal or negligible.

Reporting

In this phase, a report is generated for the organization's executives by prioritizing the vulnerabilities that are to be handled to stop the occurrence of threats. This report also consists of the plan of action to be taken to overcome the losses. The security teams monitor closely the steps involved to remediate these issues. The vulnerability summary report (VSR) is made by the claimant by finding the vulnerabilities that are identified. They may also write a detailed note on how the vulnerability was traced out and finally show some process to rectify those vulnerabilities.

Remediating and Verifying

Treating the vulnerabilities can be done in three ways either by remediating, mitigating, or by ignoring or accepting.

Remediating: Remedial action is taken for their prioritized vulnerabilities by fixing the threat completely or by patching the software.

Mitigating involves the organization choosing an alternative method to overcome that vulnerability.

Ignoring/accepting allows the low-risk threats to happen and no action is taken to fix the bug.

Acceptance of a bug may always incur a loss. Hence, most organizations remediate the vulnerabilities with patches to overcome the major havocs in the network.

The verification phase involves checking whether the remedial action is implemented effectively and efficiently. It also provides transparency in organizations' accountability.

With the growing technologies, the vulnerabilities have become more significant in overcoming the security of the organizational data. Hence, regular scrutiny with the help of various organizational tools and vulnerability management techniques is always to be undertaken by the organization's IT team.

  • [1] 2.3 Vulnerability Vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group ofassets that can be exploited by one or more threats" (ISO/IEC 2020). A failure or flaw in aprogram that produces undesired or incorrect results is named as a bug. The bugs, whenexploited by heinous actors, turn out to be vulnerabilities. The vulnerabilities range from asystem crash to confidential data leakage over a network. These kinds of vulnerabilitiesthat compromise the security mechanisms of a system are called security vulnerabilities. The following are a few security vulnerabilities that are identified as unforgivable vulnerabilities based on their frequency within Common Vulnerabilities Exposures (CVE)(Chris tey 2007).
  • [2] Cross-site scripting 2. SQL injection attacks 3. Man in the middle attacks 4. Phishing attacks 5. Buffer overflows 6. Missing authorizations 7. Path traversals 8. Untrusted inputs 9. Downloading codes without integrity checking 10. Missing data encryption.
 
Source
< Prev   CONTENTS   Source   Next >