Vulnerability analysis

- [Instructor] Vulnerability analysis. In this next lesson and the following lessons, we're going to look at different ways of analyzing vulnerabilities on the network, and this is going to help the Certified Ethical Hacker overall help organizations manage their vulnerabilities. So we're going to look at different vulnerability classifications, types, solutions, and tools. So let's go ahead and get started. So, vulnerability analysis is part of the scanning phase. It's the major and highly important part of the hacking cycle. So we're going to talk about, again, different concepts of vulnerability assessments, types of assessments, tools, and reports for this very important part of a hacking cycle. Okay, so first, some vulnerability assessment concepts. So a penetration tester's fundamental tasks is to discover an environment's vulnerabilities. Now, vulnerability assessment includes discovery of weaknesses in an environment, an operating system, application, or website for design flaws or other type of security concerns, and that's the role of a Certified Ethical Hacker is to find those weaknesses, to help organizations strengthen those, point those out and help strengthen them. And again, vulnerabilities can come from a number of things. I just mentioned a few, but they can come from also open services, default configurations, misconfigurations, improper handling of errors that may call buffer overflows. Buffer overflows, misconfigurations, all of those could be vulnerabilities, and there are a number of tools that you can use to scan for these vulnerabilities, and these vulnerabilities can be classified such as, you know, low, medium, high, et cetera. Now, vulnerability assessment can be defined as a process of examining, discovering, and identifying weaknesses in the system and applications. It can also help recognize vulnerabilities that can be exploited by a malicious person or attacker. And that's why we want to find these vulnerabilities and patch those and get those fixed. Now, there's different types of vulnerability assessments. There is the active assessment, and that basically means you're actively sending requests to a live network and examining the responses. Then there's passive. Passive usually includes packet sniffing to discover vulnerabilities or running services, looking at open ports, and other information. Now, as far as the organization on a whole, there can be different types of assessments as well, meaning on the environment. It can be an internal or an external assessment. And our external assessment is normally carried out from the hacker's point of view from the outside. You're looking at outside ports on the internet trying to get into that network, into that system, whereas the internal assessment is finding vulnerabilities within the network and environment, discovering vulnerabilities by scanning the internal network and the infrastructure. So, now let's talk about the vulnerability assessment life-cycle. Sometimes this is called the vulnerability management lifecycle. So first of all, what is this? So the vulnerability management or assessment lifecycle is the process intended for an organization to effectively identify, remediate, and confirm the elimination of network vulnerabilities in a computer system. So this is an ongoing, continuous cycle that an organization would use to manage their vulnerabilities within their network environment. And we're going to outline the steps here. Now, before you start this process, there is something called creating a baseline, and this is like a pre-assessment phase of this lifecycle. So basically, the pen tester the network administrator who's performing the assessment identifies the nature of the corporate network. They create a baseline of the applications and the systems and get an inventory of all the resources that there will be managing. And when, of course, new systems are added, they're added to this inventory and the baseline is recreated at that point. Okay, so the vulnerability assessment phase focuses on the assessment of the target. This phase includes examining and inspecting security measures such as physical security, security policies, and controls. The target is evaluated from its configurations, default configurations, faults, and other vulnerabilities that can weaken the entire environment. Then you have the remediation phase, and this includes the remedial action in response to the detected vulnerabilities. High-priority vulnerabilities were addressed first because they may have a huger impact, followed by the lesser priority vulnerabilities. The verification phase ensures that all vulnerabilities in the environment are eliminated. Then you have the monitoring phase, and this includes monitoring for the targets and the network trafficking assistance for any other future intrusions or any other anomaly behaviors. So, outside of vulnerability assessments, there is risk assessments that you need to be aware of, specifically the quantitative risk assessment. Quantitative analysis is about assigning a monetary value to risk components. Now, the analyze loss expectancy, or the ALE, is the product of annual rate of occurrence, the ARO, and a single loss expectancy, SLE, mathematically expressed as ALE equals ARO times SLE. So again, why would you want to do this? You're putting a monetary value on a particular risk in an organization. Some organizations may need to qualify their risk assessment and put a monetary value as far as high, medium, and low priorities. So, while performing this quantitative risk assessment, the ALE estimation defines the cost of any protection or countermeasures to protect an asset. SLE defines the loss of value of a single incident, whereas the ARO estimates the frequency, how often this will happen. Now, the exposure factor is the subjective potential percentage of a loss to a specific asset if a specific threat is realized. This is expressed as SLE, or the single loss expectancy, equals the exposure factor, EF, times the AV, or the asset value. Again, this equation is SLE equals EF times AV, which is the asset value. So let's look at this and put some figures and some dollar amounts in here so you can understand where we're coming from with this. So an organization is approximating the cost of replacement and recovery operations. The maintenance team reported that the hardware costs a $1,000 and needs to be replaced once every three years. A technician charges $100 per hour for maintenance, and it takes 14 hours to replace the hardware completely and install the software. So in this example, the exposure factor, EF, is one, or 100%. The requirement for quantitative risk analysis is to calculate the single loss expectancy, the SLE, the annual rate of occurrence, the ARO, and the annualized loss expectancy, ALE. So let's look and see how this is laid out. So the asset value is $1,000, and we're going to add that to 14 times 100, 'cause those was the hours, and $100 is the time per hour, so that's $2,400. The single loss expectancy, or the SLE, we figured that out using the formula we just learned, is the EF times AV equals one times 2,400. So that's $2,400 there. The annual rate of occurrence, the ARO, it's going to be once every three years, so that's 1/3. So now the annual loss expectancy, or the ALE, is SLE times ARO equals the 1/3, or .33, times 2,400. So the dollar amount here is $792. Okay, we jumped into vulnerability analysis. We talked about vulnerability assessment concepts, the vulnerability lifecycle, and we jumped into and dug into quantitative analysis and a risk assessment. All right, that's going to be the end of this lesson, and I will see you in the next lesson.