This series blog post is going to give you some details regarding vulnerability, what is vulnerability assessment, why vulnerability assessment. It will not give you in depth idea about the vulnerability assessment but it will give you basic understating about the above mentioned topics.
In computer terms vulnerability means weakness. This weakness may be due to software fault, programming error, known limitation. Attacker will try to exploit this weakness and get access to the server. For example there is one room in office where we have put all servers; this room does not have any authentication mechanism (no access card, no security guard). In this case attacker has direct access to server and he/she is able to break/breach security and take server with him/her then this is exploit. In majority of cases vulnerability will tend to become exploit.
Now a days when any application (known) has any vulnerability we get details through news group or search engines. The time between exploit found and fixed is known as ZERO days and many times this ZERO days are of many years.
Many times we use automated vulnerability assessment tool and prepare report of many pages but probably it is not the right way. We need to categorize the vulnerability first and then we should take some of them with high priority and put them on paper.
Some tools will try to exploit the same vulnerability with 100 different fuzzing logic/ data driven input but at the end of the day it is only one vulnerability. Many times these reports are very scary in nature to fix the vulnerability. Each and every vulnerability report should contain
- Category of vulnerability
- Nature of vulnerability
- How urgent is it to fix the vulnerability?
It should not contain
- Repeated vulnerability
- False positive vulnerability
Vulnerability reporting should be in such a manner where it should highlight critical first then high, medium and low. It should also be differentiated with services.
Reporting should be in the form of PDF is more preferred with digital signature. But we can use excel or word or email format as part of internal audits. Reports should have executive and detailed summary report which will help end user to fix the vulnerability.
Missing out major vulnerability will lead your system to defeat easily. So it is advised to scan your server frequently and not to rely only on automated vulnerability scanners. One should visit different security advisory sites and check for various ZERO days.
If we look at real world scenario many times we hear this will not happen in our network. Why we should secure our network?, My application will not work if I move to higher version. But as part of information security it is advisable to work on patched/ updated server.
In next post we will see…
- Why Vulnerability Assessment?
- Difference between Penetration Testing and Vulnerability Assessment.