From cd9d80c438e433b0ae9798ad268f1a03da7c4947 Mon Sep 17 00:00:00 2001 From: Anton Sankov Date: Thu, 26 Jan 2023 22:35:03 +0200 Subject: [PATCH] Day 27: Network Vulnerability Scan by @a_sankov --- 2023.md | 2 +- 2023/day27.md | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 85 insertions(+), 1 deletion(-) diff --git a/2023.md b/2023.md index ced97d1..b3f7b5f 100644 --- a/2023.md +++ b/2023.md @@ -72,7 +72,7 @@ Or contact us via Twitter, my handle is [@MichaelCade1](https://twitter.com/Mich - [βœ”οΈ] 🌐 24 > [Signing](2023/day24.md) - [βœ”οΈ] 🌐 25 > [Systems Vulnerability Scanning](2023/day25.md) - [βœ”οΈ] 🌐 26 > [Containers Vulnerability Scanning](2023/day26.md) -- [] 🌐 27 > [](2023/day27.md) +- [βœ”οΈ] 🌐 27 > [Network Vulnerability Scan](2023/day27.md) ### Runtime Defence & Monitoring diff --git a/2023/day27.md b/2023/day27.md index e69de29..03fdbdd 100644 --- a/2023/day27.md +++ b/2023/day27.md @@ -0,0 +1,84 @@ +# Network Vulnerability Scan + +On [Day 25](day25.md) we learned that vulnerability scanning is the process of scanning a network or system to identify any existing security vulnerabilities. +We also learned that Network Vulnerability Scanning is a subset of Systems Vulnerability Scanning, e.g. we are only scanning the network part of our system. + +Today we are going to dive deeper into what Network Vulnerability Scanning is and how we can do it. + +## Network Vulnerability Scanning + +**Network vulnerability scanning** is the process of identifying weaknesses on a network that is a potential target for exploitation by threat actors. + +Once upon a time, before the cloud, network security was easy (sort of, good security is never easy). +You build a huge firewall around your data center, allow traffic only to the proper entrypoints and assume that everything that managed to get inside is legitimate. + +This approach has one huge flaw - if an attacker managed to get through the wall, there are no more lines of defence to stop them. + +Nowadays, such an approach would work even less. +With the cloud and microservices architecture, the actors in a network has grown exponentially. + +This requires us to change our mindset and adopt new processes and tools in building secure systems. + +One such process is **Network Vulnerability Scanning**. +The tool that does that is called **Network Vulnerability Scanner**. + +## How does network vulnerability scanning work? + +Vulnerability scanning software relies on a database of known vulnerabilities and automated tests for them. +A scanner would scan a wide range of devices and hosts on your networks, identifying the device type and operating system, and probing for relevant vulnerabilities. + +A scan may be purely network-based, conducted from the wider internet (external scan) or from inside your local intranet (internal scan). +It may be a deep inspection that is possible when the scanner has been provided with credentials to authenticate itself as a legitimate user of the host or device. + +## Vulnerability management + +After a scan has been performed and has found vulnerabilities, the next step is to address them. +This is the vulnerability management phase. + +A vulnerability could be marked as false positive, e.g. the scanner reported something that is not true. +It could be acknowledged and then assessed by the security team. + +Many vulnerabilities can be addressed by patching, but not all. +A cost/benefit analysis should be part of the process because not all vulnerabilities are security risks in every environment, and there may be business reasons why you can’t install a given patch. +It would be useful if the scanner reports alternative means to remediate the vulnerability (e.g., disabling a service or blocking a port via firewall). + +## Caveats + +Similar to container image vulnerability scanning, network vulnerability scanning tests your system for _known_ vulnerabilities. +So it will not find anything that is not already reporter. + +Also, it will not protect you from something like exposing your admin panel to the internet and using the default password. +(Although I would assume that some network scanner are smart enough to test for well-known endpoints that should not be exposed). + +At the end of the day, it's up to you to know your system, and to know the way to test it, and protect it. +Tools only go so far. + +## Network Scanners + +Here is a list of network scanners that can be used for that purpose. + +**NOTE:** The tools on this list are not free and open-source, but most of them have free trials, which you can use to evaluate them. + +- [Intruder Network Vulnerability Scanner](https://www.intruder.io/network-vulnerability-scanner) +- [SecPod SanerNow Vulnerability Management](https://www.secpod.com/vulnerability-management/) +- [ManageEngine Vulnerability Manager Plus](https://www.manageengine.com/vulnerability-management/) +- [Domotz](https://www.domotz.com/features/network-security.php) +- [Microsoft Defender for Endpoint](https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint) +- [Rapid7 InsightVM](https://www.rapid7.com/products/insightvm/) + +## Summary + +As with all the security processes we talked about in the previous day, network scanning is not a silver bullet. +Utilizing a network scanner would not make you secure if you are not taking care of the other aspects of systems security. + +Also, using a tool like a network scanner does not mean that you don't need a security team. + +Quite, the opposite, a good Secure SDLC starts with enabling the security team to run that kind of tool againts the system. +Then they would also be responsible for triaging the results and working with the revelant teams that need to fix the vulnerabilities. +That will be done by either patching up the system, closing a hole that is not necessary, or re-architecturing the system in a more secure manner. + +## Resources + + + +