Vulnerability Management

In this chapter, we delve into the intricacies of vulnerability management, exploring the process of
identifying, assessing, and remediating vulnerabilities to enhance cybersecurity posture.

Contents
Vulnerability Management..........................................................................................................................1
### 8.1 Understanding Vulnerability Discovery...........................................................................................1
### 8.2 Weak Host and Network Configurations.........................................................................................3
### 8.5 Sideloading, Rooting & Jailbreaking................................................................................................6
### 8.6 Threat Research Sources.................................................................................................................7
### 8.7 Threat Data Feeds...........................................................................................................................8
### 8.9 Patch Classifications & Challenges................................................................................................10

### 8.1 Understanding Vulnerability Discovery

Vulnerabilities, often referred to as weaknesses, are flaws in software, hardware, or network

configurations that can be exploited by attackers to compromise the security of a system. Identifying
vulnerabilities is the first step in the vulnerability management process.

#### Zero-Day Vulnerabilities

A zero-day vulnerability is a flaw that is actively being exploited by attackers before the vendor has
released a patch or fix for it. These vulnerabilities pose significant risks to organizations because there is
no available defense against them.

**Example: The WannaCry Ransomware Attack**

In 2017, the WannaCry ransomware attack exploited a zero-day vulnerability in Microsoft's Windows
operating system, infecting hundreds of thousands of computers worldwide.
#### Bug Bounty Programs

Bug bounty programs are incentive-based initiatives that reward participants for discovering and
ethically reporting vulnerabilities in software or hardware. These programs are often used by
organizations to crowdsource vulnerability discovery.

**Types of Bug Bounty Programs:**

- **Open Bug Bounty Program:** Allows anyone to report vulnerabilities.

- **Closed Bug Bounty Program:** Limited to a select group of security researchers.

#### Disclosure Policies

Various disclosure policies govern the responsible reporting of vulnerabilities:

- **Responsible Disclosure:** Providing enough information to enable informed decisions without

revealing sensitive details.

- **Ethical Disclosure:** Publishing information about a vulnerability to inform users and enable them to
make informed decisions.

- **Full Disclosure:** Making all details of a vulnerability public without regard for the additional harm it
may cause.

#### CVE Program

The Common Vulnerabilities and Exposures (CVE) program is an international community-driven effort to
catalog hardware and software vulnerabilities for public access. Each vulnerability is assigned a unique
identifier known as a CVE number.
#### CVSS

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the
characteristics and severity of software vulnerabilities. CVSS scores range from None to Critical, helping
organizations prioritize their response to vulnerabilities.

**Example: National Vulnerability Database (NVD)**

The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities,
helping organizations assess their severity and prioritize remediation efforts.

#### Weak Configuration

Weak configuration refers to using default manufacturer settings or improperly configuring systems,
which can leave them vulnerable to attack.

**Examples of Weak Configuration:**

- Using default passwords.

- Open permissions that allow unauthenticated access to confidential data.

- Unnecessary open ports on servers.

#### Errors and Weak Encryption

Weak encryption can result from several factors, including:

- Generating encryption keys from simple passwords.

- Using encryption algorithms with known weaknesses.

- Insecure distribution of encryption keys.

**Example: Exploiting Weak Encryption**

Weakly configured applications may display unformatted error messages, providing valuable information
to threat actors.

### 8.2 Weak Host and Network Configurations

#### Evaluation Scope

The evaluation scope determines the focus of vulnerability assessments and the target of the evaluation.

**Example: Application Vulnerabilities**

For application vulnerabilities, the evaluation scope refers to a specific software application that is
analyzed for potential security weaknesses.

#### Buffer Overflow

A buffer overflow occurs when an attacker sends more data to a buffer than it can handle, causing the
data to overflow into adjacent memory space. One common vulnerability is a stack overflow.

**Example: The CodeRed Worm**

The CodeRed worm exploited a buffer overflow vulnerability in Microsoft's Internet Information Services
(IIS) web server software to spread across the internet in 2001.

#### Integer Overflow

An integer overflow occurs when a calculation results in a value that exceeds the maximum size of the
integer data type, potentially causing unexpected behavior in the software.
**Example: The Heartbleed Vulnerability**

The Heartbleed vulnerability in the OpenSSL cryptography library was caused by an integer overflow that
allowed attackers to read sensitive data from the memory of affected servers.

### 8.3 Evaluation Scope

Vulnerability management involves conducting thorough evaluations to identify weaknesses and

vulnerabilities in systems, networks, and applications. The evaluation scope determines the focus of the
assessment and the target of the evaluation.

#### Security Testing Methods:

1. **Vulnerability Assessments:** Identifying host attributes and known vulnerabilities.

2. **Penetration Testing:** Evaluating the security of a target by identifying and exploiting flaws and
vulnerabilities.

3. **Vulnerability Analysis:** Analyzing the results of vulnerability scans and assessments to determine
the level of risk associated with each identified vulnerability.

### 8.4 Overflows, Resource Exhaustion, Memory Leaks & Race Conditions

#### Memory Leaks & Resource Exhaustion

Memory leaks occur when a process fails to release memory it no longer needs, leading to a gradual
reduction in available memory and potential system instability.

Resource exhaustion refers to the depletion of system resources, such as CPU time, memory, disk space,
or network bandwidth, by malicious processes.
**Example: The Mirai Botnet**

The 2016 Mirai botnet used infected Internet of Things (IoT) devices to launch distributed denial-of-
service (DDoS) attacks by exploiting resource exhaustion vulnerabilities.

#### Race Conditions & Null Pointer Dereferencing

A race condition occurs when the outcome of an execution process depends on the timing and order of
certain events, which can lead to unexpected behavior and security vulnerabilities.

Null pointer dereferencing occurs when a program attempts to read from or write to a memory location
that is invalid or null, potentially leading to system crashes or the execution of arbitrary code by an
attacker.

**Example: The Dirty COW Vulnerability**

The Dirty COW vulnerability in the Linux kernel allowed attackers to gain root access to affected systems
by exploiting a race condition in the copy-on-write memory subsystem.

### 8.5 Sideloading, Rooting & Jailbreaking

Mobile devices introduce unique security vulnerabilities due to their specialized software, ubiquity, and
ability to store vast amounts of personal and professional data.

#### Mobile Device Security Risks:

1. **Rooting:** Gaining superuser access to the Android operating system, often by using custom
firmware.
2. **Jailbreaking:** Bypassing software restrictions on iOS devices, typically by booting the device with a
patched kernel.

3. **Carrier Unlocking:** Removing restrictions that lock a device to a single carrier.

**Example: The Pegasus Spyware**

The Pegasus spyware, developed by the NSO Group, exploited vulnerabilities in iOS to infect iPhones and
gain access to sensitive user data.

#### Sideloading & App Permissions

Sideloading refers to installing applications from sources other than the official app store of the platform,
which can increase the risk of installing malicious apps.

App permissions should align with the app’s purpose, as granting unnecessary permissions increases the
device’s attack surface and the potential for security vulnerabilities.

**Example: The Joker Malware**

The Joker malware, discovered on the Google Play Store, infected Android devices by exploiting
permissions granted to seemingly harmless apps, such as flashlight or wallpaper apps.

### 8.6 Threat Research Sources

Threat research involves gathering intelligence on the tactics, techniques, and procedures (TTPs) of
modern cyber adversaries.

#### Primary Threat Research Sources:

1. **Behavioral Threat Research:** Narrative commentary describing examples of attacks and TTPs
gathered through primary research sources.

2. **Reputational Threat Intelligence:** Lists of IP addresses and domains associated with malicious
behavior.

3. **Threat Data:** Computer data that correlates events observed on a customer’s own networks and
logs with known TTP and threat actor indicators.

#### Threat Intelligence Providers

Threat intelligence platforms and feeds are supplied through various commercial models, including:

- **Closed/Proprietary:** Paid subscription to a commercial threat intelligence platform.

- **Vendor Websites:** Proprietary threat intelligence provided at no cost to customers.

- **Public/Private Information Sharing Centers:** Information sharing and analysis centers (ISACs)
established to share threat intelligence and promote best practices.

- **Open Source Intelligence (OSINT):** Threat intelligence services offered on an open-source basis,
earning income from consultancy.

### 8.7 Threat Data Feeds

Threat data feeds provide information about known threats, vulnerabilities, and indicators of
compromise (IOCs). These feeds can be implemented in various ways and are used to enhance the
cybersecurity posture of organizations.

#### Threat Data Feed Implementations:

1. **Structured Threat Information Expression (STIX):** Standard terminology for IOCs and ways of
indicating relationships between them.

2. **Trusted Automated Exchange of Indicator Information (TAXII):** Protocol for transmitting threat
intelligence data between servers and clients.

3. **Automated Indicator Sharing (AIS):** Service offered by the Department of Homeland Security
(DHS) for companies to participate in threat intelligence sharing.

4. **Threat Map:** Animated graphic showing the source, target, and type of attacks detected by a
threat intelligence platform.

5. **File/Code Repositories:** Store signatures of known malware code.

6. **Vulnerability Databases & Feeds:** Identify vulnerabilities in operating systems, software

applications, and firmware code.

7. **Artificial Intelligence (AI):** Predictive analysis to anticipate attacks and identify threat actors
before they can execute attacks.

### 8.8 Vulnerability Response & Remediation

Once vulnerabilities are identified, organizations must respond promptly to remediate them and
minimize the risk of exploitation.

#### Vulnerability Management Process:

1. **Vulnerability Scanning:** Automated activity relying on a database of known vulnerabilities to

identify potential weaknesses and misconfigurations.

2. **Web App Vulnerability Scanners (DAST):** Specialized tools designed to identify vulnerabilities such
as cross-site scripting (XSS) and SQL injection attacks in websites and web-based applications.
3. **Vulnerability Severity Levels:**

- **High/Critical:** Vulnerabilities with the potential to cause significant damage and require
immediate attention.

- **Medium:** Vulnerabilities that could result in adverse consequences and should be prioritized
based on their potential impact.

- **Low:** Vulnerabilities with limited impact that should be remediated as part of ongoing
vulnerability management efforts.

#### Patch Management

Patch management involves identifying, acquiring, installing, and verifying patches or updates to
software, operating systems, and firmware.

**Example: The Equifax Data Breach**

The Equifax data breach in 2017, which exposed the personal information of over 147 million individuals,
occurred because the company failed to patch a known vulnerability in the Apache Struts software used
in its web applications.

### 8.9 Patch Classifications & Challenges

#### Patch Classifications:

- **Critical Fixes:** Patches for critical non-security related issues.

- **Security Updates:** Fixes for product-specific security vulnerabilities.

- **Service Packs:** Cumulative sets of security updates, hotfixes, and new features.

- **Update Rollups:** Cumulative sets of security updates, hotfixes, and updates packaged together.
#### Patch Management Challenges:

- Unintended consequences of patches.

- Roll-back issues in case of patch failures.

- Prioritization, timing, and testing of patches.

- Approach to patching: manual, automated, or hybrid.

- Access to unmanaged mobile or remote devices.

In conclusion, vulnerability management is a critical aspect of cybersecurity that involves the proactive
identification, assessment, and remediation of security weaknesses to reduce the risk of exploitation by
malicious actors. Effective vulnerability management requires continuous monitoring, robust threat
intelligence, and a comprehensive response strategy to address vulnerabilities and protect critical assets.