CySA+ domain #6: analyzing vulnerability scan results
Being able to both understand, configure and properly use vulnerability scanning tools is one thing, but being able to properly analyze vulnerability scan results is quite another.
This article will detail how to analyze reports from a vulnerability scan and how to validate results and correlate other data points. This article corresponds to the CySA+ certification objective 2.2, and by the time you are done reading this article you will have a solid understanding of the material covered by this sub-domain.
Analyze reports from a vulnerability scan
Vulnerability scans often provide cybersecurity analysts with a high volume of information that you will need to know how to read to understand the report. After reading these report findings, it is commonly expected for cybersecurity analysts to conduct their own investigations to confirm that the vulnerability exists and its severity. External data sources may be used to help assist with this process.
The following factors should be considered by cybersecurity analysts as they analyze vulnerability scan results.
Identifying false positives
While vulnerability scanning tools are very useful, they aren’t foolproof. False positives are vulnerabilities listed in the vulnerability scan results that do not really exist. One example of a false positive is when a vulnerability scan picks up an IIS web server vulnerability on a Linux system that is running Apache.
Unfortunately, the causes of false positives are legion. Some of these include the scanner not having sufficient access to a system to confirm a vulnerability, or simply having an error in one of its plug-ins that generated the erroneous report.
Cybersecurity analysts should take the time and effort to verify each vulnerability that their report lists. They should use their combined knowledge and expertise in cybersecurity to confirm whether the vulnerability is a legitimate vulnerability and they should take steps to ensure that future vulnerability scans will not pick up past false positives. Sometimes it is easy, such as simply updating a plug-in, but sometimes it takes a good amount of time and effort to understand and prevent from occurring again.
Identifying documented exceptions
Another important part of the vulnerability scan report analysis is to identify documented exceptions. This is when organizations decide not to remediate a particular (or list of) vulnerabilities for some reason. Some examples of potential documented exceptions you may encounter include:
- When business requirements dictate that a particular OS is no longer supported
- When those on the development team determine that remediating a particular vulnerability outweighs the security benefit
Cybersecurity analysts need to understand that in most cases, they are present at the organization for the organization. Understanding and conforming to an organization’s business requirements is essential to the role and pretty much just comes with the territory.
Prioritize response actions
The last factor in analyzing vulnerability scan results is to prioritize the actions you take in response to vulnerabilities that are found.
Cybersecurity analysts do not want to respond to every vulnerability at the same time. This may be caused by a number of factors, including time, money and effort that are either not available or better spent in another way. Whenever cybersecurity analysts make a decision based on prioritization, the decision should be properly documented and made available to other cybersecurity analysts within the organization.
Validate results and correlate other data points
Validating the results your vulnerability scan and correlating other data points it picks up is a crucial part of analyzing vulnerability scan results and critical to proper remediation. Below is a list of actions you can take to satisfy this integral part of your analysis, both on the CySA+ certification exam and in the real world.
Compare to best practices or compliance
Comparing your vulnerabilities to industry best practices and to the compliance your organization is governed by (if at all) is the first step to validating your results. This knowledge you can gain from comparing results can greatly shorten the vulnerability remediation process.
It is vital that you do not analyze your results in a proverbial vacuum, void of any reconciliation with other sources of valuable information. These other sources of information include:
- Logs: Coming from servers, network devices, applications often contain useful information of attempts to exploit your vulnerabilities
- Security Information and Event Management (SIEM): SIEMs correlate log information from different sources into a form that is at once easily digestible and actionable for cybersecurity analysts
- Configuration management systems: Provide information regarding systems and operating systems
Review related logs and other data sources
Cybersecurity analysts should maintain an open mind and review all relevant logs and data sources. You can sometimes find clues to other potential vulnerabilities and the exploits used to attack them by simply reviewing these sources. To save time in the remediation process, focus on those logs and other sources of information that you have not already reconciled your vulnerability scan results with.
Determining trends is often the last step in the vulnerability scan results analysis process. It normally involves more correlating with other data than the other steps. When determining overall vulnerability trends, consider the following:
- The number of new vulnerabilities emerging over time
- The age of currently existing vulnerabilities
- The approximate time required to remediate the vulnerabilities
Being a cybersecurity analyst is more than just having an expert level of knowledge and an advanced cybersecurity skill set. Cybersecurity analysts need to be able to analyze their vulnerability scan results and then validate their results and correlate relevant data points to offer up their best effort for the integral role they serve.
So put your analyst hat on, dive into your results and if you hit any roadblocks, use this article as the proverbial tow truck to pull yourself out of the mud you may be spinning your wheels in.
- CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives, CompTIA
- CompTIA CySA+ Objective 2.2, Pack IT Forwarding