A Go-To Guide for Identifying and Prioritizing Vulnerabilities
Scanning for and identifying security risk is an integral part of any companies’ security charter. But before you can identify the risks to your company, you need to identify what technology and services your company uses. Having an asset or service inventory will enable your security team to identify what needs to be scanned or penetration tested.
First, consider some basic questions:
- Is my company running in a public cloud environment (e.g., AWS, GCP)?
- What vendor or open source products and software do we use?
- What operating systems are we using?
Once these questions (and many more!) are answered you can pick the right tools for the job!
Vulnerability scanners are tools that aid in identifying vulnerabilities in components such as applications, infrastructure, and networks through automated scans. Each asset is scanned for any possible vulnerabilities, such as using a component that has an associated CVE, an unintended file being exposed on the internet, or using default credentials. Some scanners enable the user to configure a set of rules which help set the boundary of the scan and the type of scan being performed.
There are two primary methods for conducting scans: credentialed scans and non-credentialed scans.
Credentialed scans involve comprehensive scanning within the environment. In this approach, the scanning tools are granted privileged access via a service account or an agent installed on the asset to explore the environment for vulnerabilities. By conducting a thorough examination of the assets, credentialed scans can uncover weak configurations and vulnerabilities.
On the other hand, non-credentialed scans do not require any credentials to access the asset being scanned. Compared to credentialed scans, non-credentialed scans provide less detailed findings as the scanner lacks a comprehensive view of the environment. These scans are typically utilized by penetration testers, researchers, and attackers to gain an understanding of the external risks posed by the asset.
By using credentialed and non-credentialed scans, organizations can gain valuable insights into the vulnerabilities present within their environments, allowing them to make informed decisions to enhance security measures.
While the results of a vulnerability scan offer useful information and provide the high-level security posture of the system, a penetration test includes a thorough analysis of the security risks posed in the environment.
Another effective approach to identifying vulnerabilities in the environment is performing a penetration test (pen test). In this process, a security engineer performs an attack against the system to discover the vulnerability and potential exploits. To create a realistic cyber attack scenario, the pen tester may even simulate the tactics, techniques, and procedures (TTPs) employed by actual adversaries.
Companies often hire someone externally to perform pen testing, as the most valuable results are achieved when a pen test is conducted by someone unfamiliar with the environment.
This is known as an external pen test. But, there are more companies nowadays that have their own offensive security teams to perform an internal pen test. Both internal and external pen tests are extremely useful as their two use cases cover an attacker inside and outside the network, respectively.
A pen test is comprised of seven main steps:
- Reconnaissance or open source intelligence (OSINT) gathering
- Scanning or discovery
- Vulnerability assessment (gaining access)
- Exploitation (maintaining access)
- Post-exploitation, reporting, and risk analysis
After the completion of the test, a report is generated including all of the vulnerabilities which have been found, along with their risk assessment and remediation details. This helps the organizations to address the issues and bolster their security in the environment.
Prioritization of Findings
Once you have identified what vulnerabilities are present in your environment through automated scanning and pen testing, the next step is to remediate the vulnerability to reduce your company’s risk profile. You might be thinking “I have a list of thousands of vulnerabilities, how could I possibly prioritize all of them?” Good news is, you don’t have to! While you could focus on what the tools say the severity of the vulnerability is, it is more effective to prioritize based on the vulnerability’s impact to your business. This requires identifying what services, environments, and products are most critical to your business: Is this service or product customer-facing? Does it contain customer data? Will it cause significant revenue loss if there’s downtime?
By combining the business impact with the vulnerability’s severity, you can create a prioritized list of vulnerabilities to remediate starting with the most critical vulnerability and services, turning that list of thousands into hundreds or even less!