Network Security Assessment – Reading Notes 1
Recently I found the blog is good place to put my reading notes. So, let me start the first one. Since I am involving in network vulnerability scan job, This book is really fundamental and provides a lot of easy understanding definition and terminologies rather than jargons. The book name is Network Security Assessment: From vulnerability to patch.
The first chapter gave us a clear vision about what is vulnerability. How to define it and how to score it.
Over the years, the definition of vulnerability has evolved into a software or hardware bug or misconfiguration that a malicious individual can exploit. A vulnerability can be publicly diclosed before a vendor patch, or can even be used quietly by attackers. An organization experiences multiple levels of risk to a vulnerability, depending on how the discoverer of the vulnerability deals with the information and how long it takes the vnedor affected to issue a patch or workaround.
Here is a solid example for my Windows 2008 Server, which is a network security asset. After scan, the one of vulnerability results shows CVE ID is CVE-2008-4844. The description is: “Use-after-free vulnerability in mshtml.dll in Microsoft Internet Explorer 5.01, 6, and 7 on Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a crafted XML document containing nested SPAN elements, as exploited in the wild in December 2008.”
CVE stands for Common Vulnerabilities and Exposures, and a list of CVE numbers was created several years ago to help standardize vulnerability naming. The CVE created a list of all vulnerabilities and assigned each one a CVE ID in the format CVE-year-number. Vendors have been encouraged to use CVE numbers when referencing vulnerabilities.
Right now, we knew we have one vulnerability which has been defined by CVE ID, but how could we know the severity of that vulnerability? Theoretically, the risk is the products of four attributes: Vulnerability, Attacks, Threat and Exposure. However, different vendor has different scoring system. Therefore, CVSS is attempt to solve the problem by providing sophisticate scoring system. For example, for CVE ID: CVE-2008-1446, the CVSS base score is 9 and the CVSS vector is: (AV:N/AC:L/Au:S/C:C/I:C/A:C). The detailed CVSS guide is in here.
After we have realized that we have one vulnerability in our server, we need to patch a remedy to it, which will be mentioned in the following chapters. But in here, I would like to mention the windows of vulnerbility. It mainly talked about the gap between the vulnerability has been discovered and the patch has bee delivered. Because during that time frame, the attacker can easily launch the action to try to attack. How to solve that problem, the book put a lot of efforts on that. However, there is no panacea for solve all the problem. Again, no network security means no network.
Thanks,
Discussion Area - Leave a Comment