VULNERABILITY IDENTIFICATION

The purpose of this is to incorporate the information gathered earlier to assure the technical assessment and the actual existence of vulnerabilities. This is done by matching vulnerable service versions to known and theoretical exploits, traversing the network in unintended directions, testing web services for vulnerabilities such as XSS and SQL injection, locating weak passwords and accounts, escalating privileges, and so on. During the vulnerability identification stage, Bonadio seeks to identify as many positive intrusion/penetration possibilities into the target network as possible.

We will also make a final list of vulnerabilities and document a recommended set of mitigation measures during this stage. Our review of all vulnerabilities discovered by assessment tool(s) will include an interpretation of the results and a list of vulnerabilities based on the severity of vulnerability and criticality of the asset. As part of our reporting, we will discuss identified vulnerabilities with your staff as needed. We will inform you directly about any vulnerabilities that require immediate countermeasures to safeguard as soon as we identify them.

We will prepare a vulnerability summary per domain/component based on the severity of the risk and business process impact. Technical risk classification of vulnerabilities is done automatically by our vulnerability scanning tools very accurately; however, our findings will also include an analysis based on business impact, which would be useful for you so you can prioritize any non-critical mitigation. It also adds value to the project as it will allow for weighted scheduling of projects to apply fixes, as well as justifying their budget.

We don’t simply run tools and hand over the reports generated. Bonadio considers this a poor practice that would provide very limited value to your organization, your team, and your risk mitigation processes.

Since determining business impact requires deep knowledge of the target organization and its processes, we will deliver the first draft based on outcomes and previous technical risk classification. This document will be reviewed along with personnel from your teams to properly identify the business impact and corresponding adjustments to risk weights will be made.

Along with this report, the consultant will deliver technical reports containing the findings reported by the tools and an extended set of documentation explaining the technical impact of the particular case for the target organization, where appropriate. Just before beginning this step, Bonadio will have selected specific points to test and how to test them. During vulnerability identification, the consultant will perform several activities to detect exploitable weak points.

These activities include:

1. Identifying vulnerable services using service banners.

2. Performing vulnerability scans with the appropriate tools and applications to search for known vulnerabilities. The tools used will be able to integrate and test for known vulnerabilities such as those communicated from vendors’ security announcements or public databases such as CVE or CERT advisories.

3. Performing a true-up of information found (i.e., false positive and false negative verification by correlating vulnerabilities with each other and with previously acquired information from multiple tools).

4. Enumerating discovered vulnerabilities.

5. Estimating probable impact and classifying vulnerabilities found.

6. Identifying attack paths and scenarios for exploitation.

Sources: ISO 31000