Vulnerability Assessment Phases and Tools

00:00

Hey, everyone, welcome back to the course in this video. We're gonna talk about vulnerability assessment phases as well as some of the vulnerability assessment tools. Let's talk about our vulnerability assessment phases. We have our pre assessment, our assessment and our post assessment phase. Let's talk about each one of these a little more in depth.

00:15

So our processing phase Think of this as the reconnaissance phase or information gathering phase or foot printing phase of penetration, testing or ethical hacking. Right, So we're just gathering information here, so we're basically gonna identify and understand all the business processes. We're also gonna identify any applications, data or services that are supporting

00:34

the different business processes.

00:36

Well, then create an inventory of all the assets we find will also prioritize, prioritize and rank the critical assets. Right. So we'll say, Well, we do need this, and if this is removed, then that particular business process can actually function, and the organization will not be able to generate revenue. We're also gonna do things like mapping the network infrastructure, identifying any security controls

00:56

that are already in place,

00:58

and understanding any type of policies, procedures and standards and regulations, etcetera. That the organization has to be compliant with because that compliance actually is going to drive the business processes.

01:10

And then we needed to find the scope of our assessment. So before we ever run a vulnerability scan, we need actually define what are we actually doing and also create procedures that protect information. So as we're running scans, we wanna make sure we're not messing up anything in the organization.

01:26

The next step is the assessment phase. This is where we're actually gonna go ahead and examine and evaluate things like physical security. Right. So we'll see if we can actually get into the physical building. We'll check for things like this. Configuration issues, right? Or human errors. So, for example,

01:40

we talked before in this course about s three buckets being, uh, miss configuration issue. A lot of times, right, we've seen out there with cloud environments,

01:47

So that's something that we do in this particular phase. This is where we'll also perform the actual vulnerability scans, right. So, using different tools to do so once we've done that will identify what the vulnerabilities are, and then we'll prioritize them

02:00

and will basically say, Well, which ones are critical once ones can probably wait,

02:04

will apply context from the business. So business and technology context to the results we get on. Ben will also perform open source intelligence to gather additional information about the vulnerabilities are they're actually being exploited out in the wild.

02:19

And from there we generate a vulnerability report.

02:22

We then have our post assessment phase. This is where we're gonna actually perform a risk assessment. So we take the vulnerability report, we look through it and we say, Okay, what are the actual risk? What's the impact of that risk to the organization? And

02:35

are we okay with this, right? Do we have a risk appetite for this? Or does this need to be prioritized for fixed? We then move into remediation where we prioritized recommendations.

02:45

And then we actually develop a plan, right? So if there is a outdated software application, for example, we develop a plan to actually implement a either a patch or fix for that particular vulnerability.

02:57

We also do things like capturing any lessons learned, right? We document. Were there any lessons learned performing the scan and conducting this test as well as conducting awareness training for our employees for verification. This is where we actually checked to see if what we're doing is working. Right. So we perform dynamic analysis

03:15

and attack surface review to see Well, did this actually fix the issue

03:19

and then monitoring? Right. So the long term thing

03:22

are is any adversary actually trying to attack us through this vulnerability? So as we monitor our ideas or I P s logs or intrusion detection system intrusion prevention system logs

03:31

are we noticing anything, right? Are we noticing that Attackers are exploiting this? Maybe we forgot to patch something right,

03:38

as well as monitoring any new implementation of our policies, procedures and our security controls.

03:46

So there's many types of vulnerability assessment tools.

03:50

We have our host based tools that help us identify the operating system running and basically tested for known vulnerabilities.

03:57

It also searches for common APS that might be used and test them for vulnerabilities as well as common services that might be in use and test those for vulnerabilities as well.

04:06

We then have our depth assessment tools. So these air things like our fathers, right. So peach fuzz er is one example of that Essentially, these help us find previously unknown vulnerability so we can fuzz application code and see if there's any vulnerabilities in it. Onda Fuzzing is really an art. It's kind of a more advanced pen testing thing that you'll do after you've got some hands on skills.

04:28

We have application layer tools. This is directed more towards Web servers and databases. Scope assessment tools, thes test for vulnerabilities and things like the applications as well as the operating system.

04:39

And we have activist active assessment tools is what is called and this allows us to perform scans. But keep in mind is gonna consume Network Resource is so if we don't want to be found out right. If we were doing a pen test, for example, we probably wouldn't do an active scan in many cases simply because it's gonna consume some bandwidth. And

04:59

that may be a trigger for

05:00

the defensive team.

05:02

Passive tools. So these don't actually affect system Resource is considerably. At least. They just observe system data and perform data processing on a separate machine. So it's separate from the actual machine you're analyzing and then location or data examination tools. These air things like network based scanners, aging based scanners,

05:21

proxy scanners as well as cluster scanners.

05:25

So just a quick, quick question here for you. The peach fuzz er would fall into this type of tool category. Is that gonna be passive depth or host based?

05:34

Alright. If you guessed depth, you are correct. If you remember, the peach, fuzzier and fuzzier is in particular are under the depth assessment tools portion. And again, those were intended to help you find previously unknown vulnerabilities in the system.