.jpg)
Ruslan Rakhmetov, Security Vision
The process of finding, analysing and assessing vulnerabilities is a fundamental step in information security. In this review, we will look at its main stages and tell you about its important components, because vulnerabilities are an inevitable part of any system. Even the most secure system may contain weaknesses, but regular search (which we will discuss in the next article), vulnerability analysis and remediation are the three keys to maintaining security.
A systematic approach saves time and resources, avoids chaos, minimises errors and fixes problems efficiently. And combined methods produce better results: automated scanners find problems and reduce the time to manually analyse complex or unique vulnerabilities. The entire phase of the process described in the current review can be divided into several steps:
1) Scope Definition allows you to identify the elements to be tested (e.g., only the web application, a subnet of user workstations, or all nodes within the IS). When answering the questions "What needs to be protected?" and "Which systems, applications, or infrastructure should be analysed?" it is worth considering legal and technical constraints (e.g., it is forbidden to use methods that compromise system availability, or it is necessary to analyse passwords and encryption algorithms).
2) Information gathering (Reconnaissance) helps you understand what you are dealing with. Usually a combination of automated collection (e.g. Nmap or Shodan tools to identify open ports, software versions and available services), manual analysis of the network infrastructure (settings, public data and configurations of technology platforms and systems) and attempts to interact with employees to extract information (similar to the social engineering techniques we covered earlier for good causes).
3) Vulnerability Discovery also distinguishes between automated and manual approaches: tools such as Security Vision VS and OpenVAS are used to automatically identify known vulnerabilities, while manual testing checks for vulnerabilities such as XSS, SQL injection, incorrect access settings using specialised tools or custom scripts. Separately, source code analysis, such as static analysis using tools (SonarQube, Checkmarx) or dynamic application analysers (similar to pentest modes), which "poke" applications with "bare-metal vulnerabilities" to identify weaknesses.
Throughout the first three steps, we identify what is not working properly or is a gap through which things can be broken. For example, checking that all the windows are closed and the locks on the doors are secure (so a burglar can't get in) or auditing the food in the fridge (to find food that spoils or to make a shopping list for the coming week).
After that comes the process of analysing and assessing the consequences.
4) The Vulnerability Analysis phase includes classification (e.g., highlighting configuration errors, a bug in the code, flaws in the chosen communication protocol), determining the context (how relevant the vulnerability is to the protected system), and the reproducibility of the vulnerability (to determine the conditions necessary for its exploitation).
5) Risk Assessment answers the questions "How easy is it to exploit the vulnerability?" (which depends on the skill level of the potential attacker and the presence of exploits, etc.) and determines what the consequences will be for the company (financial, reputational, legal). In terms of technical vulnerabilities, CVSS (Common Vulnerability Scoring System) is usually used to calculate a baseline level of risk, while for a business-oriented approach, threat modelling and risk assessment methods are applied using quantitative and qualitative approaches.
These steps are an opportunity to make sure that the vulnerability is real and not a false positive (for example, sometimes automated scanners can give false warnings). This is where we decide how dangerous the problem is and how urgently it needs to be fixed. For example, how serious is a leaky pipe that will damage the interior when it leaks, or whether it's worth going home for forgotten keys. The process of analysis and assessment can be applied to any technical system in companies, including web applications, networks, servers or IoT devices. It is important to repeat it regularly along with the identification steps, as new vulnerabilities can appear daily, and remediation and regular reporting steps are introduced to complete the full cycle.
Vulnerability analysis and assessment is the process of understanding the nature of identified vulnerabilities, assessing their impact on the system, and prioritising their remediation:
6) Remediation involves direct fixing and retesting (retesting to verify that the vulnerability has been fixed), which can be automated, then called "autopatching".
7) The final stage of the process is the Reporting phase, which will include the vulnerabilities found and the details of how they were reproduced. It also includes clear instructions for remediation (e.g., update software or change configuration settings to a reference value).
In the final stages of the process, we determine what to do with the identified vulnerabilities and how to queue up the tasks. For example, fixing a leaky roof first, then cracks in the walls in case of a rainstorm.
The vulnerability remediation activities themselves are technical in nature, we won't go into these specifics again today, but they are very similar to our normal household tasks when we fix problems or mitigate their impact on our lives. For example, changing locks for new ones, repairing the roof and buying new roofing, turning off the gas in case of a possible leak and cleaning up the rubbish in the house before a holiday or the arrival of guests.
Assessment and prioritisation are the basis for sound planning. Not all vulnerabilities are equally dangerous, and being able to identify critical issues helps you focus your efforts where it really matters. The process of dealing with vulnerabilities never ends: the world of technology and threats is changing and becoming more complex. So regularly reviewing your security policy and updating your tools helps you keep up with the times.
Security culture is more important than any technology, because even the most advanced tool is powerless if users do not understand the basics of safe behaviour. Continuous training and awareness raising is an integral part of protection.
Finding, analysing and remediating vulnerabilities is not a one-off task, but an ongoing process that should become part of the culture of any organisation or individual. A systematic approach and attention to detail will help you minimise risks and be ready for new challenges, and we hope that we have helped you to build the logic of the main tools of IS and IT specialists in this area. To make this process easier, we and our experts have prepared a checklist of useful actions for searching, analysing and assessing vulnerabilities, which you can download on our product pages: Vulnerability Scanner, Vulnerability Management and Security Profile Compliance.
.jpg)
.jpg)
