08 - Vulnerability Management

Vulnerability Categories

• OS Vulnerabilities: Unpatched systems, EOL legacy OS missing security updates
• Zero-Day: Exploit unknown to vendor; no patch exists; highest risk, requires compensating controls (WAF, IPS)
• Misconfigurations: Default credentials, unnecessary open ports, excessive permissions, unhardened baseline
• Crypto Weaknesses: Hardcoded keys in source code, misconfigured cipher suites (TLS 1.0/1.1), weak key generation (low entropy)

Supply Chain & Update

• Malicious Updates: Compromised vendor software update mechanism (SolarWinds-style); signed malware appears legitimate
• Third-Party Libraries: Unmaintained dependencies with known CVEs; transitive risk

Network & Wireless Threats

• DDoS: Volumetric (bandwidth flood), Protocol (SYN floods), Application (Layer 7 exhaustion)
– Cloud Mitigation: Scrubbing centers, CDN absorption, anycast diffusion
• Wireless Attacks:
– Rogue AP: Unauthorized AP plugged into corporate LAN
– Evil Twin: Fake AP mimicking legitimate SSID (captures credentials via captive portal)
– Jamming: RF interference to deny service (DoS)
– Dissociation: Deauthentication frames force clients offline (prelude to evil twin)
• CASB: Cloud Access Security Broker; proxy between users and cloud apps; enforces DLP, detects shadow IT, encrypts uploads

Application & Code Risks

• Buffer Overflow: Writing excess data beyond buffer boundaries; crashes or code execution
– Mitigation: Type-safe languages (Java, C#, Python, Rust) manage memory automatically
• Memory/DLL Injection: Malicious code loaded into legitimate process space (e.g., lsass.exe dumping); hijacks privileges
• TOCTOU (Race Conditions): Time-of-check vs time-of-use; attacker changes file/condition between permission check and execution
• Sideloading: Installing apps outside official stores (Android APKs); bypasses vetting
• Rooting/Jailbreaking: Escalating privileges to gain root/admin access; disables sandbox protections, voids security model

Web & Session Attacks

• XSS (Cross-Site Scripting): Injecting client-side scripts into web pages viewed by others
– Stored: Persistent in DB; Reflected: Via URL; DOM: Client-side manipulation
• SQL Injection: Malicious SQL commands in input fields; bypass authentication, extract databases
• Replay Attack: Capturing valid transmission and retransmitting later; defeated by nonces, timestamps, session tokens

Credential Attacks

• Password Spraying: Few common passwords (Password1, Spring2024) against many accounts; evades account lockout thresholds
• Offline Hash Cracking: Stolen database hashed passwords cracked locally using GPUs/rainbow tables; no authentication attempts logged

Assessment & Scanning

• Tools: Nessus (commercial), OpenVAS (open-source); automated vulnerability detection
• Scan Types:
– Non-Credentialed: External view like attacker; misses patch levels, registry settings
– Credentialed: Authenticated with admin rights; deep inspection of installed software, configs, lower false positives
• Threat Intelligence:
– Threat Feeds: Real-time IOCs (IPs, file hashes, domains)
– ISACs: Information Sharing and Analysis Centers (sector-specific: FS-ISAC for finance, MS-ISAC for states)
– OSINT: Open Source Intelligence; public data mining (social media, DNS, job postings, Shodan)
– Deep Web: Unindexed content (private corp databases); Dark Web: Tor/I2P overlay networks, anonymized markets and leak sites

Testing Methodologies

• Pentesting:
– Unknown (Black Box): No prior knowledge; realistic attacker simulation
– Known (White Box): Full docs, source code, architecture diagrams
– Partially Known (Gray Box): Limited credentials or network map (common compromise)

Scoring & Validation

• CVE: Common Vulnerabilities and Exposures; standard ID format (CVE-2024-XXXX)
• CVSS: Common Vulnerability Scoring System; 0-10 severity (Base/Temporal/Environmental metrics)
• NVD: National Vulnerability Database; US gov repository linking CVEs to analysis
• False Positive: Scan reports vulnerability that doesn’t exist (e.g., backported patches not recognized)
• False Negative: Actual vulnerability missed by scanner (dangerous blind spot)
• Log Review: Manual validation of scan findings against actual system configuration to eliminate false positives

Quick Distinctions: Spraying (many users, few passwords) vs Brute Force (one user, many passwords). Credentialed sees inside; Non-credentialed sees perimeter. Deep Web is unindexed; Dark Web requires Tor. TOCTOU is timing-dependent exploitation.