Now, of all the things that we need to know, all the puzzle pieces that we need to put together in order to detect and fix vulnerabilities, we need to think about two major topics. What exactly do we scan and how do we do it? So the problem is that a company might have thousands or tens of thousands of devices, everything from workstation hosts, servers, laptops, mobile phones, IP cameras, security systems, network devices like switches, routers, firewalls and whatnot.
And keeping track of all this and scanning them all in a consistent manner, it's a lot, a lot of work. So while it might not really look this bad, like in this picture right here, but it's still going to be very, very bad, right? So let's bring some order to this madness and try to prioritize first. So the first thing we can start with is asset criticality, which means at the end of the day, what's important to you, what's critical to you, and what isn't. Which means that the first step for us would be to prioritize what we need to monitor in order to know how to prioritize what we need to fix when the results come in.
And to determine how critical a specific asset really is, think about the impact of having this asset affected in any malicious way, like destroyed, stolen, compromised, in any way. And remember that not everything is critical. In some cases, it would be bad if a certain asset would be compromised or lost, but it wouldn't really hurt the company that much. Now, think about a situation in which the espresso machine gets hacked. For each business process here, your asset would be something along these lines.
So first, we'll start with people. You thought we're going to start with servers, right? These are your employees, right? partners, your suppliers, even the visitors that come into your building, your offices. Then we're going to talk about tangible assets.
Things like IT equipment, storage devices, even furniture, desks, and buildings. Why the buildings? Well, if you think that you're an online business and your e-commerce website relies on 10 servers, for example, well, try running those 10 servers out on the sidewalk. And finally, we're going to focus on intangible assets. Things you can have.
but can touch this. These are things like product ideas, development plans, your brand, even your reputation. And keeping track of everything that you own is no easy task. So that's why there are dedicated tools out there for asset and inventory tracking that can help you out tremendously. And there are many solutions out there for inventory tracking.
Try to use at least one, even open source ones, and try to document at least the following information things like the type of the device the model of the device the serial number maybe even the internal id if you have an internal database that keeps track of those devices where it is located which user is currently using that device or who does that device belong to what's the monetary value how much did it cost and of course any service information as well because at some point you might need to fix that device or replace it and you should quickly be able to identify the point of contact from the vendor or the reseller that can replace that device for you. And within a software like this, a dedicated asset and inventory tracking software, you'll have to first decide on some type of classification. You need to classify your assets, your devices.
And classification basically means creating some grouping of your devices, of your assets, with some similar purposes. For example, you can group your devices. by usage, like devices that are used in production, in test environments, for development, and so on. We can classify them by different network sections.
To which network do they belong to? By sensitivity level, public, private, you know, restricted, confidential, how sensitive is the information that is retained or is stored on those devices? Any type of external information? Do they communicate information with customers or partners?
Do they store personally identifiable information, for example? Also by its financial value, right? How expensive was that device? You might want to treat your expensive devices, your expensive investments in your assets in a more particular manner. Any requirements, legal requirements that you might have in place to retain.
These assets might become critical. Simply because it's mandatory to have them up and running. And finally, any contractual obligations you might have to your customers, your partners, or any third parties out there. And the first tool that we're going to be talking about is called an infrastructure vulnerability scanner. And one thing to point out here, this is not going to be Nmap, right?
Nmap is just a network scanner, right? It only looks for open ports, running services, which hosts are up in the network. but that's it. It doesn't look for vulnerabilities. But of course, a vulnerability scanner is going to look for vulnerabilities.
Basically, it's going to be just a piece of software that scans your network, your hosts, your endpoints, your servers, looks for any applications or services that might be running on them, and looks for specific things that might be of security concern. Things like what operating systems you are running. What versions do they have? What patches or service packs they have installed? Any services that might be running in your network, on your network devices, on your hosts, on your workstations, even on your servers, of course.
The configuration of these devices actually looks at how are they configured. Network shares that might be accessible, right, in a secure manner or not. User accounts, what kind of users, what types of users are there configured on these network devices.
and also what their privileges are. And of course, for weak security policies, the Infrastructure Volumability Scanner tries to look for the security policies that you currently have implemented on your devices and tries to compare them to some best practices or to some known caveats or things to avoid when configuring these security policies. So this is how we can actually let you know when some things are not recommended or not secure enough.
in your network and might open you up to specific vulnerabilities. The first thing a vulnerability scanner will do is to create an inventory of what we currently have in our network. Things like all the servers, all the devices, the services that are running on them, on what ports are they running, what versions they have, what plugins they currently have installed.
This is going to be very similar to the host discovery and the network scanning functionality that you're going to find. in tools like Nmap or HPing. Actually, most infrastructure vulnerability scanners will use Nmap internally for this enumeration task, for this first task.
So we need to know what's inside of our network because we then need to know what to further scan for actual vulnerabilities. About the difference between active and passive scanning. You might think that... any type of scanning that we do is an active one because it's an action that we decide to do, that we decide to interact directly with the network. But there are some fine differences here.
So starting with passive scanning, right? This is about scanning or looking for information that would be available to you anyway, with or without my scanning to catch that information, right? Think of it as waiting in front of a building and watching who goes in and out, what security measures are in place to enter that building.
perhaps even peeking through a ground level window or checking what's inside. It's basically one of those methods of scanning that doesn't get you involved with the target. We're not going to call it a victim now because we're scanning for vulnerabilities, we're not doing penetration testing, but this is a type of scanning that doesn't interact with the services or with the host in any way.
It relies on public information, it relies on traffic captures, whatever can be deduced from whatever information is publicly available without directly interacting with those targets. Passive scanning's greatest advantage is the fact that it's not going to negatively impact any of your network services or any of your hosts or servers that are running in there, because you're not directly interacting with them. Now, on the other hand, it's not going to provide you with that much detail, like an active scanning. Now, active scanning, on the other hand, requires you to actually get involved with your target.
You attempt an action that must generate a response from that target and then you analyze that response. To create an analogy here, think about trying to actually enter a building, calling the reception and lying about who you are while trying to get more information about who's working in there. Now for IT and for network scanning, it involves some sort of connection that you create to your targets, like scanning for IP addresses, open ports. hitting the security devices like the firewalls the web application firewalls the ips is hitting them with some traffic just to see how they're going to react which might provide you with some insight as to which vulnerabilities they might have now of course this Since it requires interaction with the network devices and with the servers, in some cases might create some performance issues and might even create downtime.
You might actually crash some of your network devices or some of your servers. So be very careful. This is the type of vulnerability scanning that you will always perform outside working hours because you might adversely affect your entire infrastructure. You might bring down the company actually with such a scan. Another important aspect comes from the difference between a credentialed and a non-credentialed scan.
Now, with a credentialed scan, the scanning software will actually receive from you, from the admin, a valid user account. It might be a regular user account, it might be an admin user account, that can be used and will be used to log in to certain hosts and then perform some automated checks on them. These authenticated checks are going to provide a much more in-depth analysis, much more detail about that scanned environment. Now, for example, you don't need to scan every port and try to figure out what service is running on it. You can simply get the list of running services from the operating system itself.
You can also access the operating system's configuration and also any security policies that you might have in place without relying on trial and error and trying to figure out what those access lists actually look like. Now, from an attacker's perspective, this is similar to the point of view of an insider threat, so of someone who already has access inside of your systems. Now, while this type of scan provides much more detail, sometimes you might want to be able to think like an attacker that doesn't have all these admin-level access to your network. Now, the second type of scanning is the non-credential scan, which is conducted by probing or testing your hosts, your networks, without having any valid logging credentials. Now this is where you get the outside hacker's default point of view and it's kind of appropriate for scanning your network perimeter.
Now as an exam tip here, remember that this type of scanning is always going to use a lot more bandwidth from your network, simply because the scanning software has to go through a lot of trial and error, trying different ports, different scanning methods, sometimes even brute forcing some attempts. to extract more information from your applications and your services. Also, this intense scanning behavior might lead to some applications crashing in your environment because they might not be able to cope with this amount of traffic.
So don't attempt such intrusive operations during work hours. Another way to differentiate between scanning software is to think about which of them are server-based or agent-based. Now, so far we have assumed that all our scanning is done from some central location inside of our network or outside of our network. But some vulnerability management solutions rely on agents installed on each host. Now, these agents are administered from the central console.
They are the ones that actually run the scans on the hosts themselves and report findings back to that central console. So the agent-based approach has a couple of advantages. First, it's going to always be credentialed by default because the agent has to be installed on that host, on that device, so it has to run with some privileges.
They're also going to have a very low consumption of bandwidth and CPU resources since scanning is performed locally and only summaries of the findings are communicated back to the central console. They can also be used on devices that are not always connected to the network, things like mobile devices. phones, laptops and so on, the agent will collect the data and will report its findings on the next occasion when the device connects back to the network. Now, the downsides of agent-based scanning are, of course, an increased management overhead. You have to get that agent installed and up to date onto all your devices that you want to scan.
You won't be able to install it on every device. You can install it, perhaps, let's say, on Windows operating systems, on Linux, on Mac OS, but perhaps not the same agent on things like let's say cisco routers or hp printers and also it's going to be another backdoor that it's not going to keep the security team very happy because it might be an additional attack vector it might open you up to additional vulnerabilities simply because you have an additional piece of software additional component in your network and that's going to be very bad if your agent is compromised yeah you might be thinking we're We're talking about spy movies here. But actually, if an attacker can control your agent network, then it's going to be able to control your entire network, just like a botnet, because those agents are installed and have privileges on all your devices. And also, let's not forget about the issue of segmentation. Now, why is segmentation important from a vulnerability scanning point of view?
Well, it's important because... Most network will have a number of VLANs, subnets, even remote networks behind site-to-site VPNs, for example. And for scanners to work properly, they have to be able to reach your assets.
They have to be able to connect those assets to their agents or to run a credential scan or non-credential scan. They have to be able to reach their targets. And also, in case you're using agent-based scanning, you have to make sure that those agents are able to reach back to the management host to report their findings.
And this boils down to actually having proper routing rules and firewall rules in place to permit this type of traffic. Also, you have to keep in mind that a lot of these vulnerability scanning tools out there are going to look to an IPS or an IDS a lot like the reconnaissance phase of an attack. And you might get a ton of alerts and even your scan getting blocked by those internal tools. If that happens, well, congratulations.
That means you have. properly configured your IPSs and IDSs, but shame on you for forgetting to whitelist your scanning devices. Also, it might be a good idea for you to consider using a dedicated management network.
That can be either a separate VLAN or even a completely separate physical network designed especially for managing, controlling, and scanning and assessing your infrastructure. Okay, so how often should we actually do this scanning business, right? Once it's probably not enough. Too often it's probably overkill.
Well, the frequency of scanning depends on your risk appetite. Are you okay with assuming some risks and just running the scans once in a while? It also depends on some technical constraints.
Some things to keep in mind are the fact that scanning can cause severe disruptions in your network, in your services, a degradation of those services, and high resource usage. Also, keep in mind any licensing limitations that you might have on your scanning software, and also the time constraints. Scanning can take a very, very long time, and you might not want to interfere with working hours. But as a best practice, let's say, try running your vulnerability scans at least when something changes in your environment, in your network, when something new is added, when something is changed, when something is updated.
or upgrade it every time something changes on a hardware or software perspective in your network. Secondly, try to do it if, of course, regulations and other requirements say that you should do it. And also, always do it after a security breach.
This is kind of a no-brainer, right? You need to be able to better understand what happened in there and to identify clearly, find out what caused that security breach, which was most likely a vulnerability that should be detected. by a vulnerability scan.
Now when it comes to actually choosing a scanner, probably the first question that you'll want to answer is whether you want to pay for it or not. There are free scanners available, there are paid products as well, and the main difference is that the paid scanners usually rely on a proprietary database of vulnerabilities and scanning methods, which should be more often updated and better maintained than the free ones. But you should Still investigate or ask the vendor how often are there actually. Now you should also consider the fact that there are specialized scanners out there.
So you might want to look into things like web application vulnerability scanners, which are software scanners specifically designed to find vulnerabilities and weaknesses in web applications. You might want to look into mobile application scanners that look for vulnerabilities in mobile applications for Android or iOS. or even network scanners that look for weaknesses in your networking configuration, in your networking devices. Now, just to give you some exam tips here and some examples, the first one that the exam is most likely going to ask you about is Nessus. It's the most well-known one.
It also has a free version, but mainly it has now become a commercial product. Initially, it was open source, and then it became a paid product. It does have a ton.
of scan profiles already built in, but of course you can also define your custom scanning plugins using a language called NASL, that's Nessus ATT&CK scripting language. Another one is OpenVAS, which is open source and initially developed from the Nessus codebase back in the good old days when Nessus was completely open source and free as well. Now it's part of the Greenbone Community Edition security appliance. Finally, Qualys is another infrastructure vulnerability manager, but is mostly a cloud-based service. It's based on sensors installed all over your network, including your cloud locations, if you have any.
And those sensors can be deployed as agents or as virtual machines, passive or even out of band for those air-gapped locations that you don't need. need or want to connect to the outside world. Okay, so let's see a quick demo of OpenVIS and I'm going to be using Kalo Linux for this.
I'm going to start by starting up the OpenVIS services. Let's wait a couple of seconds then to boot up. All right, everything up and running. Let's open up our browser and navigate to the OpenVIS internal web page. Log in here.
And this is the main dashboard that you see the first time you log into an OpenVIS installation. Now one of the first things that we're going to do before initiating a scan is going to be to specify some credentials. So let's have a look over in the domain menu here. We're going to jump into the configuration tab and then onto credentials.
We're going to do a credential scan. Here we're going to create a new set of credentials. Click on the new credential button. Specify a name here.
Now the type of credential you can see it's a combination of username and password. And in our case the username and password combination is going to be a set of Windows credentials. So we're going to add the Windows domain in here and the administrator user with the password.
And we're going to allow insecure use so we don't have to worry about certificate validation here. You can see you can also choose to authenticate using SSH keys, public certificates, depending on the device that you're connecting to. Right, we have our set of credentials right now.
You can see them here on the left, username and password. Next, we're going to move on to the targets configuration, which is where we actually specify what we want to scan. Right, we're going to create a new set of targets, give it a name here, and an IP address to scan.
It's actually going to be a network address with a slash 24 CIDR prefix. I'm going to add a host exclusion so we don't want to scan the 10.1.0.254 host here. And under the credentials section. Now for these specific hosts, since they are Windows hosts, we're going to choose under SMB the credential set that we've just created a couple of seconds ago. So we also have our targets in our subnet defined here in OpenVAS.
Next step is scan config. So what type of scan do we actually want to run? How deep we want it to be?
how detailed we want it to be you can see it does have a couple of default profiles in here uh starting with host discovery or system discovery and going really deep actually they are called full and very deep and full and very deep ultimate all right so these are the the scanning profiles we can we can use and in order to actually use one of those scanning profiles and combine all things that we have defined so far what we're going to do is that we're going to create a schedule right this is going to be a daily scanned schedule i'm going to set it to run today and you can also see the video recording date in the screen and with a period of one day's year and a maximum duration of one hour right that's our scan schedule click on create finally we go under scans and tasks right we can skip this nice wizard here because we're going to do it manually just close it here and create a new scanning task click on new task give it a name choose the scan targets to use choose the scan schedule scroll down and choose the scan config remember the ones that we've just seen a couple of minutes ago i'm going to choose full and fast and create now the task has been created but doesn't run just yet because it's going to run on the next day as per our scheduling so we can just click on its name you can see all the details here it's due tomorrow So we don't want to wait until tomorrow and we can just click on the play button, a green play button at the top to cause it to start right now. You can see the status has become requested. It's going to take a while now to run.
So if you want to stay on this page, you can choose the refresh interval at the top of this page right here. And since this is going to take a while, then we're going to use the magic of screen recording and Jump into the future. All right, our scan is now done as you can see here status is done and the duration Was one hour and four minutes. Well, it was a full scan So we expected it to take some time head back over here to the report section The only report that we have is the report for our scan that has just completed All right, so you can see a summary of our scan how many high priority results we have how many medium lows And a general severity of our scan. Now a score of 10 is the highest possible at the bottom over there, which means that we are going to be seeing here a lot of damage.
A lot of critical vulnerabilities. Okay, we can just filter this report some more. So if we want to look at a specific host out of our slash 24 network that we used as the source for our scan targets.
And you can see all the vulnerabilities here sorted by their CVSS scores and the host, the type, the categories that were located in. now of course all these vulnerabilities can be detected as long as they are found in the internal database of the scanning engine now as you can see the openvas solution even though it's a free and open source product it is able to uh to detect a number a huge number of vulnerabilities actually now let's uh choose one of these here like the windows smb authentication bypass this is a a high vulnerability here with a cvss score of 7.5 it will provide you with a lot more details here like the description of the vulnerabilities potential fixes solutions workarounds if there are any right and a description of the cve entry as well and also the base score used for cve calculation now we're going to look into these base scores in the in the next video and understand more about what they actually tell us but as far as this small demo here goes this is a very Easy way to automate and implement vulnerability scanning in your own network without paying for any commercial product out there. All right, so for the exam, this is going to be a very important topic.
So don't just glance over it. Make sure you remember why it's important to classify your assets. And also, how is a vulnerability scanner different from a network scanner like Nmap or HPing? Remember the difference between active and passive scanning. between credentialed and non-credentialed scanning, and also between server-based and agent-based scanning.
And for troubleshooting purposes, remember that you do need reachability and ideally a dedicated management network to run your scans. Remember some common scanning tools like Nessus, Qualys, and OpenVAS, and you should be more than fine on the exam. So, thank you for watching, like, subscribe, good luck on the exam, and see you on the next episode.