Welcome to Vulnerability Assessment Tools, brought to you by IBM. In this video, we'll discuss various types of vulnerability assessment scanners. We'll discuss the common vulnerability scoring system and how scores are assigned to vulnerabilities. You will be able to describe the use of a Security Technical Implementation Guide, or a STIG, to enhance the overall security posture. And last, you'll be able to describe how to use the Center for Internet Security Benchmark hardening/vulnerability checklists. Let's get started. According to the National Institute of Standards and Technology, vulnerability scanning identifies hosts and host attributes, like operating systems, applications, open ports. But it also attempts to identify vulnerabilities rather than relying on human interpretation of the scanning results. Vulnerability scanning can help identify outdated software versions, missing patches, and misconfigurations, and validate compliance or deviations from an organization's security policy. What is a vulnerability scanner? Vulnerability scanners are a software suite that have many capabilities, whose main job is to assess in a system for potential weaknesses that threats could expose. Capabilities of a vulnerability scanner include keeping an up-to-date database of all known vulnerabilities and exploits, detection of genuine vulnerabilities without excessive number of false positives. It has the ability to conduct multiple scans at the time and performed trend analyses and create clear reports of the results. And they also provide recommendations for effective countermeasures to eliminate any discovered vulnerabilities. Vulnerability scanners are made up of four main components, engine scanners, databases, report modules, and the user interface. The engine scanner performs security checks according to its installed plugins, identifying system information and vulnerabilities. The built-in databases store all the vulnerability information, the scan results, and other data used by the scanner. The report module provides scan result reporting, such as technical reports for system administrators, summary reports for security managers, and high level graph and trend reports for corporate executive leadership. And last, the user interface allows the administrator to operate the scanner. It may be either a graphical user interface, GUI, or just a command line interface. Vulnerability scanners can exist either looking for internal threats and/or external threats. It's a difference of it scanning a host or the network. Internal threats, whether intentional or not, make up a large portion of attacks on a system. It could be through malware or a virus that is downloaded onto a network through Internet or USB. It could be a disgruntled employee who has internal network access. It could be through the outside attacker who has gained access to the internal network. The internal scan is done by running the vulnerability scanner on the critical components of the network from a machine which is a part of the network. This important component may include a core router, switches, workstations, web server, databases, etc. On the other hand, the external scan is important, as it is required to detect the vulnerabilities to those Internet-facing assets through which an attacker can gain internal access. The external scan is done by running a vulnerability scanner on the host from the Internet. It is always a good idea to eliminate the open issues or loopholes before it can be used and exploited by a malicious user or an attacker. One way to determine just how big of a threat something is is to use the common vulnerability scoring system. The common vulnerability scoring system is a way of assigning severity rankings to computer system vulnerabilities, ranging from zero, least severe, to ten, most severe. The CVSS provides a standardized vulnerability score across the industry, helping critical information flow more evenly between sections within an organization and between organizations. The formula for determining the score is public and freely distributed, providing transparency. And it helps prioritize risk, the CVSS ranking provides both a general score and more specific metrics. The score itself is broken out into three main areas, a base score, a temporal score, and environmental score, which will provide the overall score of zero through ten. The CVSS score has three values for ranking a vulnerability. A base score, which gives an idea of how easy it is to exploit the vulnerability and how much damage and exploit targeting that vulnerability could inflict. The temporal score, which ranks how aware people are of the vulnerability, what remedial steps are being taken, and weather threat actors are targeting it. And an environmental score, which provides a more customized metric specific to an organization or work environment. Let's break these down further. It should be noted that this will be a pretty high level overview of the breakdown of the CVSS score. I highly recommend, after the video is over, to check out a CVSS score calculator, where you can see all the different things that make up each subscore. With that being said, the base score is actually broken into two subscores, exploitability and impact. For the exploitability subscore, they take a look at the attack vector, the attack complexity, the privileges required, and what the user interaction was involved. The impact score has to do with the CIA triad. How does it impact the confidentiality, integrity, and availability of services? The temporal score takes a look at three things, the exploit code's maturity, the remediation level, and the report confidence. And last, the environmental score takes a look at the security requirements subscore, and then also takes into account an impact score of the CIA triad. Another assessment tool are the use of STIGs, a Security Technical Implementation Guides. The Defense Information Systems Agency, or DISA, is the entity responsible for maintaining the security posture of the Department of Defense IT infrastructure. Default configurations for many applications are inadequate in terms of security. And therefore DISA felt that developing a security standard for these applications would allow various DoD agencies to utilize the same standard, or STIG, across all application instances that exist. STIGs exist for a variety of software packages, including operating systems, database applications, open source software, network devices, wireless devices, virtual software. And the list continues to grow, now even including mobile operating systems. In order to view the most current STIGs, you can view the Department of Defense's public cyber exchange website, that's public.cyber.mil/stigs. And here you can see the most current updates, you can download an application viewer, they have one for each operating system. So you can explore those databases and see what the most current Security Technical Implementation Guide is for any given application. The last vulnerability assessment tool we'll be discussing in this video is the Center for Internet Securities benchmark and controls. The CIS benchmark and controls are much like the STIGs in that they provide guidelines and recommendations for security settings and configurations for any given application or process. The difference is, instead of being from the DoD, it's from the security professionals and those in the industry. The CIS benchmarks are the only consensus-based best practice security configuration guides, both developed and accepted by government, businesses, industry, and academia. The initial benchmark development process defines the scope of the benchmark and begins the discussion creation and testing process of working drafts. Using the CIS WorkBench community website, discussion threads are established to continue a dialogue until consensus has been reached on the proposed recommendations and the working drafts. Once consensus has been reached in the CIS WorkBench community, the final benchmark is published and released online. The CIS controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. They CIS controls are developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The five critical tenants of an effective cyber defense system as reflected in the CIS Controls are, offense in forms defense, prioritization, measurement and metrics, continuous diagnostics and mitigation, and automation. To be able to use the controls, you need to take a look at what implementation group your business or company falls under, and then compare that to the 20 different controls that the community has come up with. Let's take a look at those now. The implementation groups are defined by the company's security needs, one being the least amount or normal amount and three being the maximum. So for the group one, the implementation group one, the sub-controls for small, commercial off-the-shelf or home office software environments where sensitivity of the data is low and will typically fall here. Any implementation group one steps should also be followed by organizations in two and three. And this will go for all of them, where three should be able to do two and one, two should be able to do two and one, one should be able to do just one. For the second group, the sub-controls focused on helping security teams manage sensitive client or company information fall under here. And then for the largest security needs, they are the sub-controls that reduce the impact of zero-day attacks and targeted attacks from sophisticated adversaries, typically it's going to fall here. Now, these implementation groups will be applied to the 20 different control groups. So for each of these control groups, there will be a implementation group one, two, and three level response. So you can imagine, there's a lot of different combinations. Let's go ahead and take a look at those now. Here are the 20 CIS controls, they're broken down into three categories, basic, foundational, and organizational. I'm not going to sit here and read you a list of 20. You can pause the video and read these, or you can go to the CIS's website and download in a PDF or Excel format to review these yourself. And that'll do it for this video on Vulnerability Assessment Tools. Thanks for watching. We'll see you in the next video.
