Vulnerability Scan Reporting: Best Practices
by Eddie Cook, Information Security Analyst I
Vulnerability assessments are an excellent opportunity to get a strategic perspective regarding possible cybersecurity threats to your organization. Following are the four steps that MDT uses to start an effective vulnerability assessment reporting process. Whether you are using an automated or manual tool, these will help you to secure a strong security posture, in turn helping to keep your organization ahead of the curve.
Step One: Conduct the Initial Assessment
Identify the risks of each of your network devices (assets), and also identify the critical value of each device. It’s crucial to define the level of importance of any device residing on your network. It’s also important to understand what level of access your users (including the general public) have for each device. A common equation in determining risk is the product of the vulnerable device multiplied by the threat it represents to your organization. This is a good method for presenting a cost value that a risk represents to your organization.
Many strategic factors should be considered, and you should have a clear understanding of the details of those factors. We recommend you consider the following:
- Level of risk that an organization is prepared to accept
- Risk mitigation policies and procedures for each device
- Residual risk management (these are risks left over even after mitigation)
- Vulnerability countermeasures for each device or service
- Business impact analysis (the impact of both the mitigation and the vulnerability)
- Risk Acceptance (vulnerabilities which make more sense to ignore vs. correct)
Step Two: Define System Baselines
Next, gather information about your systems before you continue with the vulnerability assessment. It’s best to
review open ports, processes and services to determine what shouldn’t be open. Also, review approved drivers and software and the basic configuration of each device (i.e., nothing should have a default administrator username con-figured).
Next, you should perform banner grabbing or some other reconnaissance means to learn what kind of “public” information is accessible based on the configuration baseline. Does your device send logs into a security information and event management (SIEM) platform? Are the logs stored in a central repository? Do you have a baseline template for initial device configuration? Is the baseline updated each time a new vulnerability forces a change?
Step Three: Perform the Vulnerability Scan
Be sure to set the correct scanner policy, depending on the scanner you use, to accomplish the desired results. Before scanning, understand any compliance requirements based on your company’s posture and business. Then determine the best time to perform the scan, as scans tend to be disruptive to business processes. It’s important to recognize your business posture and determine if the scan can be performed all at once or if it needs to be segmented. Note that, once you have completed all of the above preparation, it is very important to define and get policy approval to perform the vulnerability scan. You are now ready to perform the vulnerability scan.
For the best results, use related tools and plug-ins for each vulnerability scanner or tool, such as, but not limited to:
- Best port scan (i.e., popular ports)
- CMS web scan (Joomla, WordPress, Drupal, general CMS, etc.)
- All port scan (i.e., 65,535 ports)
- Firewall scan
- Stealth scan
- Aggressive scan
- Use of exploits and distributed denial-of-service (DDoS) attacks
- Open Web Application Security Project (OWASP) Top 10 Scan, OWASP Checks
Here are some commonly used scanners (there are many more):
- Qualys Enterprise Vulnerability Scanner
- Qualys SSL Scanner (https://www.ssllabs.com/ssltest/)
- Nessus
- Nmap (nmap.org)
- Wpscan (wpscan.org)
- https://urlscan.io/
In case you need to perform an authenticated scan for the critical assets, be sure to set your credentials in the scanner authentication configuration for a better and deeper vulnerability assessment. Each result of the scan should be carefully analyzed to determine if:
- The findings are a true positive
- Each finding is high, medium or low severity
- The vulnerability can truly be corrected
- A vulnerability correlates to other vulnerabilities, which could all be mitigated with one fix
- There are alternative workarounds other than the suggested solution (networks segmentation, removing software, hotfixes, restricted access, etc.)
Step Four: Create a Vulnerability Assessment Report
Report creation is the final but most important step. Pay attention to details that will add extra value in the recommendation area of the report. To gain the most value from the final report, be sure to add recommendations based on your initial assessment goals.
Next, add risk mitigation techniques based on asset criticality and scan results. Add any findings related to gaps between your scan results and the system baselines, and also make recommendations for correcting the deviations to mitigate possible vulnerabilities. Findings on vulnerability assessments should be ordered by level of severity to ensure that an appropriate level of attention is given to each vulnerability. It’s important to realize that high and medium vulnerabilities should have a detailed report that include:
- The vulnerability name
- Discovery date and time
- The score, based on Common Vulnerabilities and Exposures (CVE) databases
- A detailed vulnerability description
- Details regarding the affected systems
- Details regarding solutions to correct the vulnerability
- Any proof of concept (PoC) of the vulnerability correction
In conclusion, using these steps when performing a vulnerability assessment should reflect a complete understanding of your organization’s security posture throughout the process. It delivers a better outcome for something that, in most cases, is a compliance tool.