Chapter 8 - 03 - Discuss Vulnerability Assessment - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Security Assessment Techniques and Tools

Information Obtained from the Vulnerability
Scanning

@
OS version running on Open ports and running Application and services
computers or devices services vulnerabilities

i N
Application and services Accounts with weak passwords Missing patches and hotfixes
configuration errors

L. All Rights Reserved. Reproduction is Strictly Prohibited

Information Obtained from the Vulnerability Scanning
Vulnerability scanners are capable of identifying the following information:
= The OS version running on computers or devices

= |P and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are
listening
= Applications installed on computers
= Accounts with weak passwords

* Files and folders with weak permissions

= Default services and applications that might have to be uninstalled

= Errors in the security configuration of common applications

= Computers exposed to known or publicly reported vulnerabilities
= EOL/EOS software information

= Missing patches and hotfixes
= Weak network configurations and misconfigured or risky ports
= Help to verify the inventory of all devices on the network

Module 08 Page 1062 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Assessment Techniques and Tools

Vulnerability Scanning Approaches
Two approaches to network vulnerability scanning:

@ Active Scanning @ Passive Scanning

QO The attacker interacts directly with the O The attacker tries to find vulnerabilities
target network to find vulnerabilities without directly interacting with the
target network
QO Also known as intrusive scanning
Q Also known as non-intrusive scanning

O Example: An attacker sends probes
O Example: An attacker guesses the
and specially crafted requests to the
operating system information,
target host in the network to identify
applications, and application and service
vulnerabilities
versions by observing the TCP connection
setup and teardown

Copyright © by EC-{ cil. All Rights Reserved. Reproduction is Strictly Prohibited.

Vulnerability Scanning Approaches
There are two approaches to network vulnerability scanning:
Active Scanning: The attacker interacts directly with the target network to find
vulnerabilities. Active scanning helps in simulating an attack on the target network to
uncover vulnerabilities that can be exploited by the attacker. This type of scanning is
also known as intrusive scanning.
Example: An attacker sends probes and specially crafted requests to the target host in
the network to identify vulnerabilities.
Passive Scanning: The attacker tries to find vulnerabilities without directly interacting
with the target network. The attacker identifies vulnerabilities via information exposed
by systems during normal communications. Passive scanning identifies the active
operating systems, applications, and ports throughout the target network, monitoring
activity to determine its vulnerabilities. This approach provides information about
weaknesses but does not provide a path for directly combating attacks. This type of
scanning is also known as non-intrusive scanning.

Example: An attacker guesses the operating system information, applications, and
application and service versions by observing the TCP connection setup and teardown.

Attackers scan for vulnerabilities using tools such as Nessus, Qualys, GFl LanGuard, and
OpenVAS. Vulnerability scanning enables an attacker to identify network vulnerabilities, open
ports and running services, application and services configuration errors, and application and
service vulnerabilities.

Module 08 Page 1063 Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Assessment Techniques and Tools

Vulnerability Scoring Systems and Databases
o L3 L3

= An open framework for communicating the characteristics and impacts of IT vulnerabilities Common
Vulnerability
= |ts quantitative model ensures repeatable accurate measurement, while enabling users to view Scoring System
the underlying vulnerability characteristics used to generate the scores (CVSS)

CVSS v3.0 Ratings
[t Common Vulnerability Scoring System Calculator s s CVE-2017-0144

None 0.0 '
Low 0.1-3.9 et e = , a
Medium 4.0-6.9 ' l I : ‘ '. I ‘“‘
High 7.0-8.9 im R e
Critical 9.0-10.0 ——

v 0.0-3.9 e

Medium 4.0-6.9
High 7.0-10 ER T
https://www first.org https://nvd.nist.gov

Cormymen Valnarabilities and Exposures

arch CVE List Download CVE Data Feeds Reques

Common Search Results
Vulnerabilities and
Exposures (CVE) Name Description
CVE-2019-9565 Druide Antidote RX, HD, 8 before 8,05.2287, 9 before 9.5.3937 and 10 before 10.1.2147
allows remote attackers to steal NTLM hashes or perform SMB relay attacks upon a
A publicly available and direct launch of the product, or upon an indirect launch via an integration such as
Chrome, Firefox, Word, Outlook, etc. This occurs because the product attempts to access
free-to-use list or dictionary a share with the PLUG-INS subdomaln name; an attacker may be able to use Active
of standardized identifiers Directory Domain Services to register that name.
CVE-2019-7097 Adobe Dreamweaver versions 19.0 and earlier have an Insecure protocol Implementation
for common software vulnerabllity. Successful exploitation could lead to sensitive data disclosure if smb
request Is subject to a relay attack.
vulnerabilities and
CVE-2019-6452 Kyocera Command Center RX TASKalfa4501i and TASKalfa5052ci allows remote attackers
exposures to abuse the Test button in the machine address book to obtain a cleartext FTP or SMB
password.

https://cve.mitre.org

Copyright © by EC-Council. All Rights Reserved. Reproduction Is Strictly Prohibited

Module 08 Page 1064 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Assessment Techniques and Tools

Vulnerability
lotmaton Technology Laboratory

scoring SYStems and I;ATIONALVULNERABILITVDATABASE

Databases (Cont’d)
Vulnerability
Published Date

QUICK INFO

National vulnexability Datahase (NVD) w0 1 HROWS
TR NOTe ATACkers 1o wtnse the Test Bitton i the enl(||°,",."“""w

= A U.S. government repository of standards- based
NVD Last Modified:
vulnerability management data represented using the. } 1
Security Content Automation Protocol (SCAP) Impact ym w
CVSS
v1.0 Severit Metricst CVSS va. DS-v"IIyn otrics:
mm
= These data enable the automation of Vulnefab"ity \mlnr
WA PR NS L C M MR VOCROP (AVMAC &S PN (V2 legirs
-. legend) Impact Subscore:.
management, security measurement, and compliance Impact Score:.0 Bty sabscorn b8
Exploitability Score: 2 1. ACcess Vector (AV): W tw ok

= The NVD includes databases of security checklist Attack Vector (AV): stk Access Complexity (ACK: Lovi
" AMtack Complenity
(AC): Low Authentication (AU) ge
references, security-related software flaws, Priviteges Regulred (PR): Low Confidentisity (€): Portl
Usar interaction
(LI): boew Integrity (1): Hone
misconfigurations, product names, and impact metrics
https//nvd.nist.gov
Copyright © by EC- il. All Rights Reserved. Reproduction s Strictly Prohibited.

Vulnerability Scoring Systems
and Databases (Cont’d)
Common Wcakncss Enumcratlon
o Do 7 List of SaftwareM
Common Weakness Enumeration (CWE)
[Aveut | cwkilst [ scoring || Community || Wews | Search |

rvw Nesses. It s0rves as e A category system for software vulnerabilities and
re for weakness identfia
weaknesses
View the List of Weaknesses

by Research Concepts ) by Cuveligmant Concapts | by Aschitactoral Concapts )
It is sponsored by the National Cybersecurity
Search CWE
° FFRDC, which is owned by The MITRE Corporation,
e Softmare weakness by per noa 1 of the CWE LSt by beywords(s) or by CWE-ID
u-am t,n witple kevnn s, separ alvmn t'auuw with support from US-CERT and the National Cyber
Security Division of the U.S. Department of
[ 5mp
Homeland Security

It has over 600 categories of weaknesses,
which enable CWE to be effectively employed
° by the community as a baseline for weakness
identification, mitigation, and prevention
https:/fewe.mitre.ovg
efforts

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Vulnerability Scoring Systems and Databases
Due to the growing severity of cyber-attacks, vulnerability research has become critical as it
helps to mitigate the chance of attacks. Vulnerability research provides awareness of advanced
techniques to identify flaws or loopholes in the software that can be exploited by attackers.
Vulnerability scoring systems and vulnerability databases are used by security analysts to rank
information system vulnerabilities and to provide a composite score of the overall severity and

Module 08 Page 1065 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Assessment Techniques and Tools

risk associated with identified vulnerabilities. Vulnerability databases collect and maintain
information about various vulnerabilities present in information systems.

Following are some of the vulnerability scoring systems and databases:

= Common Vulnerability Scoring System (CVSS)
= Common Vulnerabilities and Exposures (CVE)
= National Vulnerability Database (NVD)
= Common Weakness Enumeration (CWE)
Common Vulnerability Scoring System (CVSS)
Source: https://www.first.org, https://nvd.nist.gov
CVSS is a published standard that provides an open framework for communicating the
characteristics and impacts of IT vulnerabilities. The system’s quantitative model ensures
repeatable, accurate measurement while enabling users to see the underlying vulnerability
characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard
measurement system for industries, organizations, and governments that need accurate and
consistent vulnerability impact scores. Two common uses of CVSS are prioritizing vulnerability
remediation activities and calculating the severity of vulnerabilities discovered on one’s
systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known
vulnerabilities.

CVSS helps capture the principal characteristics of a vulnerability and produce a numerical score
to reflect its severity. This numerical score can thereafter be translated into a qualitative
representation (such as low, medium, high, or critical) to help organizations properly assess and
prioritize their vulnerability management processes.

CVSS assessment consists of three metrics for measuring vulnerabilities:

= Base Metric: Represents the inherent qualities of a vulnerability

= Temporal Metric: Represents the features that continue to change during the lifetime of
the vulnerability.
= Environmental Metric: Represents vulnerabilities that are based on a particular
environment or implementation.

Each metric sets a score from 1-10, with 10 being the most severe. The CVSS score is calculated
and generated by a vector string, which represents the numerical score for each group in the
form of a block of text. The CVSS calculator ranks the security vulnerabilities and provides the
user with information on the overall severity and risk related to the vulnerability.

Module 08 Page 1066 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Assessment Techniques and Tools

Severity Base Score Range
None 0.0

Low 0.1-3.9

Medium 4.0-6.9

High 7.0-8.9
Critical 9.0-10.0

Table 8.1: CVSS v3.0 ratings

Severity Base Score Range
Low 0.0-3.9

Medium 4.0-6.9
High 7.0-10
Table 8.2: CVSS v2.0 ratings

f Common Vulnerability Scoring System Calculator version3 CVE-2017-0144
This page shows the components of the CVSS score for example and allows you to refine the CVSS base score. Please
read the CVSS standards guide to fully understand how to score CVSS vulnerabilities and to interpret CVSS scores. The
scores are computed in sequence such that the Base Score is used to calculate the Temporal Score and the Temporal
Score is used to calculate the Environmental Score.

Base Scores Temporal Environmental Overall CVSS Base Score: 8.1
10.0 10.0 10.0 10.0 Impact Subscore: 5.9
8.0 8.0 8.0 8.0 Exploitability Subscore: 2.2
6.0 6.0 6.0 6.0 CVSS Temporal Score: NA
4.0 4.0 - 4.0 4.0 CVSS Environmental Score: NA
2.0+ 2.0+ Modified Impact Subscore: NA
0.0 0.0 Overall CVSS Score: 8.1
Base Impact Exploitability Temporal Environmental Modified Impact Overall
Show Equations

CVSS v3 Vector
AVIN/ACH/PRINJ/UEN/S:U/C:H/IH/AH

Base Score Metrics
Exploitability Metrics Scope (S)*
Attack Vector (AV)* Changed (S:C)
Adjacent Network (AV:A) Local (AV:L) Physical (AV:P) Impact Metrics
Attack Complexity (AC)* Confidentiality Impact (C)*
Low (AC:L) None (C:N) Low (C:L)
Privileges Required (PR)* Integrity Impact (1)*
TGO Low (PR:L) High (PR:H) None (:N) Low (L) (B ACL
User Interaction (UI)* Availability Impact (A)*
IO Reauired (ULR) None (AN) Low (AL) [EITCNLSR)
* - Allbase metrics
are required to generate a base score,

Figure 8.12: Common Vulnerability Scoring System Calculator Version 3

Module 08 Page 1067 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.