Back to all methods

Vulnerability Scanning and Analysis

Summary

This component has the auditor discover possible flaws the organization's devices, services, application designs, and networks by testing and comparing them against a variety of online and offline resources (vulnerability databases, vendor advisories, and auditor investigation) to identify known vulnerabilities. Basic vulnerability analysis should be occurring along-side the other activities so that evidence can be gathered from the network, however, deeper research into specific discovered exploits can happen after the on-site audit to fully take advantage of the short time the auditor has on site.

Purpose

It is not uncommon for a cash-strapped human rights NGO to run critical infrastructure themselves on available equipment. A better-resourced organization may host its critical services at a remote data center, or outsource its IT infrastructure to cloud providers, such as Google Apps, and/or to ad-hoc services (Dropbox, Yahoo! mail, Wordpress, etc.). Regardless, it is rare to have someone designated to update and patch systems as vulnerabilities are released, or to view the services from a security -- as opposed to availability -- standpoint.

Guiding Questions

    • What level of proof do you need to identify to convey the importance (or importance) of a vulnerability to the organization?
    • What would the organization and IT think is an appropriate amount of the IT staffs time that you can request to get the information you need?

Operational Security

  • Treat the data and analyses of this step with the utmost security.
  • Use VPNs or Tor to search if scanning remotely.
  • Seek explicit permission for vulnerability scanning - NOTE: The organization might not be in a position to give you meaningful “permission” to carry out an active remote assessment of "cloud services" used within the organization.
  • In situations where the auditor is doing this work remotely it is important to only run "safe" tests that have no possibility of causing damage to the network.

Preparation

    Baseline Skills

    • Vulnerability Scanning: : General TCP/IP and networking knowledge; knowledge of ports, protocols, services, and vulnerabilities for a variety of operating systems; ability to use automated vulnerability scanning tools and interpret/analyze the results
    • Penetration Testing: Extensive TCP/IP, networking, and OS knowledge; advanced knowledge of network and system vulnerabilities and exploits; knowledge of techniques to evade security detection

Outputs

    • Lists of OVAL/CVE identifiers for each possibly vulnerable service/system.
    • Examples of live exploits for vulnerabilities where possible.
    • A short write up of each vulnerability including how it was identified.
    • The cleaned up output from any tests used to identify the vulnerability.
    • Document Vulnerabilities (per vulnerability)

      • Write Up

        • Summary - A short (two to three sentence) basic overview of the vulnerability, including a discussion of potential impacts.
        • Description - An in-depth (one to three paragraph) overview of the vulnerability.
        • Approach - Step-by-step explanation of the methodology used that is tool agnostic.
        • Proof - The cleaned up output from tests run to identify the vulnerability.

References

Activities