Robert Wortmann (Head of Strategic Security Consulting, Proact Germany) and Oliver Kett (Professional Services Engineer, Proact Germany)
Vulnerability scanning, patching advice or vulnerability intelligence, which do you really need?
In recent years I’ve been asked by clients over and over again how weak points in systems can be best found and remedied. In today’s blog post we’ll look at the basics and will explain the different types of vulnerability scans. To start creating a clearer picture, we usually imagine a medieval city protected by a high wall.
Vulnerability scanning / blackbox scans
The most simple and widely known option is to conduct automated tests of weak points – the so-called black box test. A black box test closely resembles a cyberattack since the tester doesn’t receive any information apart from the IP addresses that are being tested.
With Blackbox scans it usually makes sense to test external services because you’ll get very similar information to that of a real cyberattack. For internal systems, there are more meaningful test scenarios that I’ll talk about later.
Looking back at the medieval city, we’re currently outside of the city walls and don’t know what’s going on behind them. To find out, we search the city wall for gaps in the masonry. If at any point a stone is missing, we’ll have a look through this hole. After this we’ll tell the city that a stone is missing and how they should close the gap.
Penetration testing / whitebox scans
In contrast, when you conduct a whitebox test the examiner receives way more information and also login information about the systems so they can carry out further tests. But you also get a lot more information. A blackbox test only checks if SSL / TLS certificates are valid and if modern ciphers are set. But in the case of a whitebox test there’s a ‘man-in-the-middle’ to intercept more information.
This attack tries to hook into the communication between clients and servers, thus recording all traffic. If it succeeds you shouldn’t only record the traffic, but should also downgrade your client to outdated encryption methods. By acting as a server that only uses outdated and already cracked encryption methods, you can convert the encrypted data into plain text without using much effort (sometimes just a few seconds).
And again let’s think about the medieval city. It’s time to check the internal and external security. We try to get into city from the outside and then take a look at the internal security inside the city walls. We’re not just peering in through the windows of the houses, we’re trying to crack the locks and steal the jewellery inside.
Lots of new software vulnerabilities come to light every day making it almost impossible to process them, especially because a lot of them won’t apply to your infrastructure.
To make sure you’re looking at the right vulnerabilities, you’d have to keep browsing the pages of software vendors and keep constant track of the CVE definitions. So you can remove this work, vulnerability intelligence systems collect information about vulnerabilities that might apply to your infrastructure. In the end, you will only receive messages and recommendations that are relevant to you, e.g. in the form of a patch advisory.
Now we’re thinking about the silent secret service belonging to the medieval city. We’re inside the city walls and have lots of data on the citizens. Our task is to gather up-to-date information about potential threats and to provide them to suitable people.
Who should do the tests?
While it might seem tempting to do a penetration test yourself, these involve a substantial amount of work. Most recommend using an external auditor because they have no conflicts of interest and haven’t been involved in the design, construction and operations of the information network.
For example, the PCI-DSS requests that an external scan is conducted on a quarterly basis. Internal scans are only permitted after changes to the infrastructure to see if the external test can still be passed.
Also, interpreting your results isn’t an easy task. All the different products that are available on the market – especially in black box tests – provide a lot of false positives. This means you need to check test results closely to make sure a vulnerability is a real problem.
Even a whitebox test requires a lot of preparation before it’s implemented. A popular trap is what we like to call ‘operational blindness’. Internal people will simply say ‘it has always been like that, I’ve never even thought about it.’
Here at Proact we offer vulnerability scanning & intelligence services. We scan your public IP addresses (or, if you like, your entire corporate network) once a week and check them for potential attack vectors.
You define when you’re notified based on the CVSS score (for example, everything greater than 9). In addition, you’ll receive a detailed report from us once a month that lists all the vulnerabilities that we’ve found. Our analysts take care of filtering out as many false positives as possible and will help you find potential remedies.
Each report includes a brief explanation of the vulnerability, links to vendor documentation and CVE IDs, alongside quick reference guides to help you customise the configuration. Our vulnerability scanning & intelligence offerings also provide you with information about vulnerabilities in the technology you use, including instructions for closing them.