The Security Vulnerability

Assessment Process, Best

Practices & Challenges
1

Kellep A. Charles, D.Sc. CISA, CISSP

www.SecurityOrb.com
 Introduction
2
 Security vulnerability assessments have become an
imperative part of any organization’s computer and
network security posture.

 Many organizations consist of:

 Heterogeneous computing environments
 Windows, Mac OS X, Linux/Unix
 Multiple Applications
 Distributed computing
 Internet-enabled information access systems.

 The need to understand the state of an organization’s

overall information system is important now.

www.SecurityOrb.com
 Introduction
3

 Best practices in information security acknowledge

 a defensive only approach to securing an enterprise does
not suffice
 at times is considered inadequate.

 Frequently these defensive security devices such as

firewalls and intrusion detection systems (IDS)
 often not configured properly
 not capable of locating all the vulnerabilities and threats on
the network, especially at the node level.

www.SecurityOrb.com
 Introduction
4

 Performing regular security vulnerability assessment

helps bridge that gap

 Allows an organization to take a proactive stance

towards protecting their information computing
environment.

 The bottom line objective is to safeguard the core

intellectual and electronic assets of the organization,
and to ensure compliance with appropriate
regulations
www.SecurityOrb.com
 Why Is It So Vital?
5

 Most Systems are unpatched

 Lazy, overworked or misinformed system administrators

 Most compromises are from unpatched systems with

patches or work around available
 Some systems cannot be patched (allow for alternate
defense)
 Proactive and offensive posture towards security
 Compliance

www.SecurityOrb.com
 Assessment Levels
6

 Basic Security Assessment - The objective for this assessment

is to give the responsible party a basic understanding of the
security of the business as a whole in three key areas:
Administrative, Physical and Technical Safeguards. It is
meant to point out possible areas of weakness with a walk
through of the facility and a Q&A session. It is not an in-depth
study, rather, a basic first step in protecting information.

 In-depth Security Assessment - This is a comprehensive study

of the security of your business. We will analyze all policies
and procedures, router access lists, Firewall configurations
and policies, PC and server configurations, complete Website
review, complete mail server review. We will then present the
client with a written report of our findings. This type of
assessment will give you a thorough understanding of how
your company measures up to "Industry Best Practices".
www.SecurityOrb.com
 Assessment Levels
7

External Vulnerability Testing - We will test your network

from the outside from a "hacker's point-of-view". We will use
the same tools criminals use to try and compromise your
network and servers.

Internal Vulnerability Testing - These are the same tools

used in the External test. This type of assessment is essential
in understanding how and why hackers, viruses and worms
spread so quickly through an organization.

www.SecurityOrb.com
 Assessment Process
8

 To effectively conduct a security assessment so it is beneficial to an

organization
 a proven methodology must be followed so the assessors and
assesses are on the same page.

 Using a proven security assessment methodology supplies a

blueprint of events from start-to-finish that can be examined,
tracked and replicated.

 Reports that are constructed from the security assessments are used
to provide a snap shot view of information system deficiencies for
short-term analysis as well as trending data for long-term
evaluation

 Allowing the organization to understand their vulnerabilities so they

can better protect themselves from current and future threats.
www.SecurityOrb.com
 Security Assessment Process
9

 The process includes the following 6 phases

 Pre Security Assessment Process
 Security Assessment In-Brief
 Security Assessment Field Work
 Security Assessment Report Analysis & Preparation
 Security Assessment Out-Brief
 Post Security Assessment Process

www.SecurityOrb.com
 Security Assessment Process
10

 Pre-Security Assessment Process

 The pre-security assessment process entails one of the most

important aspects of conducting a security
assessment. Obtaining an engagement letter grants the
assessment team the authority to commence with the
formal processes of creating documentation to support the
security assessment, permission for the onsite visit and the
overall authority to conduct the security assessment.

www.SecurityOrb.com
 Security Assessment Process
11

 Security Assessment In-Brief

 Once the team has arrived at the assessment location, a

security assessment in-brief is required. In the in-brief, both
the security assessment team and the organizational staff
members will introduce themselves and the roles they will
have during the security assessment process.

www.SecurityOrb.com
 Security Assessment Process
12

 Security Assessment Field Work (Scanning,

Interview, Walk-Thru and Doc Review)

 Once the in brief has been review, discussed, completed and

agreed upon, the security assessment fieldwork can
commence. The security assessment field-work process
consist of conducting vulnerability scans, facility walkthrough,
manual system checks, staff interview and various document
reviews.

www.SecurityOrb.com
 Security Assessment Process
13

 Security Assessment Report Analysis &

Preparation

 Towards the end of the security assessment, once all of the

security assessment fieldwork has been completed, the
security assessment team will review and process the
information in preparation of the final report. During this
phase, the security assessment team will address any false
positive, waivers, document any variances and findings that
will be included in the final report.

www.SecurityOrb.com
 Security Assessment Process
14

 Security Assessment Out-Brief

 The security assessment team will provide

recommendations.

 Contact information will be on the out-brief.

 This process should be interactive were questions are

taken through out the security assessment out-brief.

 At the end of the security assessment out-brief, both

parties will have to sign the pages of the out-brief and
discuss what will be occurring in the post security
assessment process.
www.SecurityOrb.com
 Security Assessment Process
15

 Post Security Assessment Process

 The post security assessment process is where the security

assessment team securely files all documentation and
electronic data pertaining to the organization in which the
security assessment was conducted on.
 In addition, a team meeting with all members of the
assessment team should be conducted to review and lessons
learned to add any improvements or deficiencies to the
process.

www.SecurityOrb.com
 Vulnerability Assessment, Penetration Test &
Security Audit
16

 A vulnerability assessment is a practice used to identify all potential

vulnerabilities that could be exploited in an environment.
 The assessment can be used to evaluate physical security, personnel (testing
through social engineering and such), or system and network security.

 While a vulnerability assessment's goal is to identify all vulnerabilities in an

environment, a penetration test has the goal of "breaking into the network."
 only needs to exploit one or two vulnerabilities to actually penetrate the
environment.
 Penetration testing is also referred to as ethical hacking

 A security audit is basically someone going around with a criteria checklist of

things that should be done or in place to ensure that the company is in
compliance with its security policy, regulations and legal responsibilities.

www.SecurityOrb.com
 Credential Scans vs Un-credential Scans
17

 Credentialed scanning allows for a much more

accurate and thorough picture of the system.
 Mechanic and doctor example

 Part of vulnerability scanning is to identify missing

patches that leave a machine open to compromise.

 Test of a Windows 7 system

 The results speak for themselves: first scan without
credentials, then with credentials – What do you think you will
see?
www.SecurityOrb.com
 Credential Scans vs Un-credential Scans
18

 Test of a Windows 7 system

 The results speak for themselves: without credentials, the scan identified
highs=0; meds=0; lows=1. With credentials: highs=7; meds=8; lows=5
 Guess which one is more accurate.

www.SecurityOrb.com
 Credential Scans vs Un-credential Scans
19

www.SecurityOrb.com
 Credential Scans vs. Un-credential Scans
20

www.SecurityOrb.com
 What Vulnerability Scanning Can’t Do
21

 Find Zero-Days and malware

 Eliminates the most obvious and known security
threats.
 Can’t Patch
 Determine the difference between False
Positive/Negative

www.SecurityOrb.com
 Conclusion

 The art of defending an organizational network takes

many approaches to be done successfully.
 No one control can assure that the network is
safe. Firewalls are great for prevention, IDS offer the
ability for detection, Security Awareness briefing
provides for user knowledge and Security
Vulnerability Assessments assist with a proactive
posture towards security.
 It also helps prove you've done "due diligence" in
performing basic system patches and fixing the well-
known problems in case a security breach causes
financial, legal or regulatory problems.