## Vulnerability Assessment

Vulnerability Assessment is a process of examination, discovery, and identification of a system and applications security measures and weakness.
It helps to recognize the vulnerabilities that could be exploited, need of additional security layers, and information that can be revealed using scanners.

### Types of Vulnerability Assessment

- **Active Assessments** : actively sending requests to the live network and examining the the responses. It requires probing the target host.
- **Passive Assessments** : includes packet sniffing to discover vulnerabilities, running services, open ports, and others. It is a process without interfering the target host.
- **External Assessment** : find out vulnerabilities and exploit them from outside.
- **Internal Assessment** : find and exploit vulnerabilities in the internal network.

### Vulnerability Assessment Life-Cycle

#### Creating baseline 

- Identifies the nature of the network, the applications, and services.
- Creates an inventory of all resources and assets which helps to manage, prioritize the assessment.
- Helps to maps the infrastructure, learns about security controls, policies, and standards.
- Helps to plan the process effectively.

#### Vulnerability Assessment

- Includes examination and inspection of security measures (physical security, security policies and controls, ...).
- The target is evaluated for misconfigurations, default configurations, faults, and other vulnerabilities.
- Probing each component individually or using assessment tools.
- The report shows the vulnerabilities, their scope, and priorities.

#### Risk Assessment

- Scoping the identified vulnerabilities and their impact on the infrastructure

#### Remediation

- Remedial actions for the detected vulnerabilities
- Start with the highest priority

#### Verification

- Make sure that all vulnerabilities are eliminated

#### Monitor

- Monitor the network traffic and system behaviors for any further intrusion

## Vulnerability Assessment Solutions

### Product based solution  vs Service based solution

- **Product based solutions** are deployed within the network. Usually dedicated for internal network.
- **Service based solutions** are third-party solutions which offers security and auditing. This can be host either inside or outside the network. This can be a security risk of being compromised.

### Tree-based Assessment vs Inference-based Assessment

- **Tree-based Assessment** is the approach in which auditor follows different strategies for each component of an environment
- **Inference-based Assessment** is the approach to assist depending on the inventory of protocols in an environment

## Best Practice

- Know your tool, know everything about it
- Make sure to **not** cause any damage with the tool
- Make sure the source location of scan to reduce the focus area
- Run scan frequently

## Vulnerability Scoring System

### Common Vulnerability Scoring System (CVSS)

- None: 0.0
- Low: 0.1 - 3.9
- Medium: 4.0 - 6.9
- High: 7.0 - 8.9
- Critical: 9.0 - 10.0

### Common Vulnerabilities and Exposures (CVE)

Another platform to find information about vulnerabilities

Databases:

- https://nvd.nist.gov/
- https://cve.mitre.org/

## Vulnerability Scanning

Vulnerability Scanners are automated utilities to detect vulnerabilities.
These scanning tools perform deep inspection of scripts, open ports, banners, running services, configuration errors, etc...

Top scanners:

- Nessus
- OpenVAS
- Owasp-ZED
- Vega
- Nexpose
- Retina
- GFI LanGuard
