Vulnerability management plays an important part in establishing a secured network. It includes identifying, analyzing and rectifying the flaws that exist in a system for a better working condition. These flaws in a network could be used by an attacker to launch an attack. The vulnerabilities occur due to various factors like new software issues, coding errors, human errors, etc. and it’s the necessity of every company to maintain a secure network free from vulnerabilities. Highly confidential information and data flows through the company’s network, so keeping it secure from a third party is a very serious job. Day by day new flaws and issues are found in every network so to keep the network secure is a difficult task.
The only way to solve this problem is by identifying every related issue and solving it effectively. Sometimes you may have various devices attached to your network, and these devices may be configured in different ways. Any small error in these configurations could be exploited by an attacker to find its way into the internal network. Programming errors or bugs are the major reason for vulnerabilities. In addition, experts say that even in well-managed software there are chances of bugs however to resolve this issue they release patches and updates periodically to address all vulnerabilities. The first thing an attacker does is to scan for any vulnerability that can be exploited, so it’s very important to fix all these bugs before something nasty happens. There should be periodic analysis to find such vulnerabilities and companies like Adobe, Microsoft, and Google releases monthly updates to fix such issues. While managing the vulnerabilities, the first thing you should do is to prioritize the issues, this would help in managing the process efficiently.
Need for Vulnerability Management
Every single device on the internet are vulnerable to some or the other kinds of attack. It is our responsibility to ensure maximum security to the devices associated with the network. The technology has developed beyond our imagination and there is still no such thing as a complete solution or method to protect a network from all the attacks. At some point, new viruses and malwares create a hole that causes security issues. If you analyze a few cyber-attacks, they are not targeted on a particular organization but they were targeted on basis of some vulnerability. Any organization can be targeted to such attacks, irrespective of their size and value. As per a recent survey, the number of attacks has been increased drastically and these attacks were not all for money; some was for confidential data, employee details, etc. It’s not necessary that these attacks will be from an outside source always there may be chances of breaches from the inside organization as well.
All network perimeter devices have its limitations and we won’t be able to protect our environment from malicious programs all the time. Exploitation of malware can be stopped to a larger extend by implementing a proper vulnerability management plan. We know that many devices will be connected to a network that is vulnerable to attacks and the first this is to identifying such devices and by preventing unauthorized access. Proper configuring of firewall, regular update of antivirus software’s and use of IDS (Intrusion Detection System) would help in solving these kinds of issues to an extent. Network scanners, mappers, port scanners, etc. could be used by the attackers to find such network related issues. Attackers make use of such network and peripheral defects to launch an attack, which could compromise an entire company. In order to avoid such problems Vulnerability Management should be effectively implemented to identify and fix the security issues. By proper management, solutions to all these problems could be identified and extended to today’s threat landscape.
Vulnerability management is a time consuming process and is also a bit expensive but considering the pros and cons, it’s worth it to spend money and resources for vulnerability management. After the entire process, a detailed report is obtained that shows the vulnerabilities and how they are managed effectively.
The Process of Management
The vulnerability management process could be divided into various steps to obtain maximum efficiency. The process doesn’t stop after you complete a certain number of steps or we get a desired result for the time being. It’s a cycle, which should be continuously followed to stay protected from the attacks. It requires a lot of effort to design this process. All the aspects should be taken into consideration while making the plan. The following is the process involved depicted in a diagram:
Figure 1: Vulnerability Management Cycle
For maximum result, the process should be carried out on a daily basis according to priority of each sector. In a larger company with many devices, it would be easier if they appoint a team for the management process alone. This is equally important as other normal process associated with the company. Since they require a daily check and update, having a dedicated team working for this purpose will make the process easier and effective. They could create a plan on the scanning procedure and discuss their strategy to eliminate the vulnerabilities. The following are the few steps explained briefly, included in the vulnerability management process:
- Vulnerability Scan: In this step, we first scan the network devices connected to a network. This could be done with the help of third party software. It gives the connection overview of the entire network and the devices connected within them. The systems, which are connected to internet, should be given higher priority in this step, because these are the ones that give access to the attackers into the network. The devices are identified with the help of IP address. By identifying IP address the attacker can get other information related using “who is” search, when it’s related to a website.
- Analyzing security strength: In this step, we make use of external scanning software like ncircle, Qualys, Rapid7 etc. to carry out few security test and find how vulnerable our systems and networks are. The software has pre-defined testing standards according to which the tests are carried out. You can carry out two different types of scans. First, one gives the security details at the present situation and the other one takes a certain period to analyze the system and network thoroughly. It analyses the patches, updates and monitors how the system is improving over the test period. Both these test provide a detailed test report, which helps us to understand the status of the system. In a company new data or information flows through the network continuously due to this reason, frequent scanning should be carried out to ensure maximum security. Some tools have the auto scan function which acts when a new data enters the system providing immediate results. Before launching a scan, we should be aware of the devices connected to the network and the details like IP ranges, servers, workstations, printers, etc. should be recorded to get an overview of the scanning area. There are cloud based services known as SaaS (Software as a service), that helps us to carry out scans through the internet. With the help of this service, you can manage the scan by logging into your account and the advantages of these services over the normal ones are, device compatibility, automated updates, flexibility, customizable features etc. One such example for SaaS is QualysGuard.
- Detailed Breakdown of Scan result: Scanning alone won’t make it effective so the results obtained after scanning should be thoroughly studied and measures should be taken accordingly to minimize the chance of an attack. The vulnerabilities obtained in the scan results should be prioritized. One should start fixing them according to priority. The list of vulnerabilities may vary according to the size and infrastructure of different companies. Some might only have a few flaws to fix, for some there will be a handful, and there may be chance of showing false positive vulnerabilities too. Therefore, it’s very important to go through each result to ensure maximum efficiency.
Vulnerability Solutions: This is one of the most important task in the entire process and the success of an effective management is when you find a patch for the identified vulnerabilities. Patching could be done for existing software’s to fix their flaws and after every patch, the tests should be carried out again to make sure that the created patch fixes all the flaws. The other vulnerabilities in network and configuration should be discussed among a group of experienced people to find a suitable solution. Once every problem is fixed, run the test again to confirm the result. In fact, this won’t be the last step of vulnerability management. We have to stay updated on current trend and run frequent scans or other measures to keep it free from new bugs that could affect our system.
Vulnerability Scanners and Tools
There are various methods to carry out the scanning process. Depending upon the requirements, these tools and methods are selected to obtain maximum output. These days the tools are mostly automated and the standards and other functions are predefined in most of the scanning tools. We just have to mention our requirement and just have to wait for the result. After the completion of the scanning process, the software’s provide a detailed report on the scanning, which allows us to plan a fix for the vulnerabilities obtained in the scan. For enterprise level scanning there are separate tools dedicated for this purpose. With normal software, the workload will be high in large organizations, since the number of computers and other network devices are in large numbers. The following are a few top rated vulnerability scanners available in the market:
- Nessus: It is one of the most popular vulnerability scanners available in the market. It’s designed for windows and Linux platforms. At the initial stage, the software was free of cost and had an open source code. Later it became a paid version with closed source. It also has a home edition, which could be used for small private networks. They keep on updating plug-ins and patches for effective result.
- OpenVAS: This software was developed from the last free version of Nessus. They still use Nessus NASL Language. Nessus holds more advantage in terms of plug-in availability and user interface than OpenVAS. OpenVAS and Nessus have almost same efficiency results.
- Nexpose: Rapid7 Nexpose has the ability to carry out entire function of vulnerability management. Metasploit could be integrated with this tool for exploitation related test. Nexpose is more efficient in database scanning when compared to rest of the other tools.
- Nipper: Nipper takes care of network devices such as routers, firewalls and switches. It was also an open source software, which became a paid version when released a commercial version.
Let’s see how Nessus software looks like. The Nessus home version needs to be registered with an email to obtain a onetime activation code. Once activated the software is ready for use. The software has an inbuilt plug-in directory, from which we could install the required plug-in according to our requirement. The software screenshot is given below for reference:
Figure 2: Nessus screenshot
Other than these direct install software products, there are various SaaS products. Software as a service (SaaS) are applications that are provided by certain vendors through internet. There are various advantages for this type of method. Firstly, we don’t want to install any software into our system that would possibly need a lot of space and these services could be managed through the browser. Each user will be given unique login ID for managing their process. QualysGuard is one such product that offers vulnerability management through the Internet. It supports mapping, asset prioritization, report generation and network discovery. These types of services are much cheaper than normal software’s and also resolves the issues of deployment and resources.
Zero Day Vulnerability
We talked about bugs in earlier section. Vulnerabilities caused due to such bugs, which are unknown to the vendors, are known as zero day vulnerabilities. Attackers make use of these holes before the vendors fix it, for launching an attack. When discovered by the hackers, they keep this a secret and circulate through the hacker’s group until the vendor finds about it. These types of attacks are commonly carried out now as no security devices have the capability to prevent such attacks.
As soon as the vendor finds out about the hole, they fix this problem by releasing an update for the existing version of software. These patches cover all the existing vulnerabilities and bugs and provide a safe working software. It’s not always necessary that the new patch will give a perfect cover to all the vulnerabilities. After a new patch is released, the attackers will work on that to find a new hole in the software. Therefore, it’s very important to update all the software versions periodically.
Most of the zero day attacks are caused due to weak source code. The organizations have to understand the seriousness of such kind of vulnerabilities. As you know, the Confiker Worm infected more than 1million pc within a day and these kind of attacks spread faster so the time to act during an attack might be very small. In fact, we should take steps to prevent such kinds of attacks as it may cause a major impact to the organization. Organizations are more keen to explore devices that claim to prevent zero day vulnerabilities and till now a complete prevention doesn’t exist. In this year alone, five major zero day attacks has been reported, compromising MS office and Adobe Flash player. Zero- day attacks that targets Microsoft often happens right after they launch a new patch. Finding vulnerability and fixing is a time consuming process for the software makers and for normal users, the best one can do during the wait period is to set up a good anti-spam and virus protection, which could help you to an extent.
Tools Used to Exploit Vulnerability
There are a large number of tools available for various segments of exploitation. It is very much necessary to understand the functionalities and options of each tools before using it. The following are a few tools that have proved its efficiency in exploitation over the time:
- Metasploit: It is an advanced tool for testing, developing and exploit code. Metasploit was developed in the year 2004 and was completely free until 2009. Many videos are available in YouTube showing how Metasploit can be used to carry an attack.
- W3af: It has a very flexible framework for finding and exploiting vulnerabilities. We can add a dozens of features by installing more plug-ins.
- Core Impact: It is considered as one of the most powerful tools available in the market now. It helps us to penetrate into a system and create an encrypted path to expand our exploitation to various systems connected to the same network.
- Canvas: This is much cheaper than Core impact. It has around 370 exploits included in the package. Full source code is available with software.
- Netsparker: Netsparker is a web application based security scanner, which helps us to detect and exploit the flaws present in a system. This software reports only confirmed vulnerabilities after complete exploitation.
- Sqlninja: This tool is mainly used for situations having Microsoft SQL servers. It finds vulnerability and automatically exploits them, finally providing a complete report.
We live in a world where information is given an important role. Therefore, to protect information related to ones organizations is very much necessary. We need multiple defense methods to protect our data considering the complications in our network and organizations should not only be aware of the attacks but also should be aware of the effects caused by such attacks. For this, an effective vulnerability management process is very much required to maintain the network free from bugs and attacks.