If you’re planning on taking the Security+ exam, you should have a good understanding of vulnerability assessment and other techniques used to detect vulnerabilities.
For example, can you answer this question?
Q. Your organization develops application software, which it sells to other companies for commercial use. Your organization wants to ensure that the software isn’t susceptible to common vulnerabilities, such as buffer overflow attacks and race conditions. What should the organization implement to ensure software meets this standard?
A. Input validation
B. Change management
C. Code review
D. Regression testing
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Vulnerability Assessment
Vulnerability assessments are broader than just vulnerability scans. A vulnerability scanner can discover technical vulnerabilities, but an organization can also have nontechnical vulnerabilities that go beyond technical controls.
A vulnerability assessment can also check for nontechnical vulnerabilities. For example, Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide mentioned tailgating, where an employee follows closely behind another employee without using credentials. One employee uses a proximity card to open a door and other employees follow. If employees are tailgating, can an attacker do the same? Theoretically, yes, but in many cases, management wants more than theory. A vulnerability assessment can include a test to see if a visitor can access secure spaces without credentials.
Similarly, employees may be susceptible to social engineering attacks. An attacker may use low-tech methods to trick employees into revealing sensitive information. Educated employees often recognize these techniques, but even if a company provides training, it doesn’t necessarily mean that the employees are educated. A vulnerability assessment can verify what training was effective and sometimes identify which employees represent the highest risks.
For example, users should not give their password out to anyone, and many organizations regularly remind users of this security practice. However, will users give out their password?
I remember one vulnerability assessment performed within a bank. The testers drafted an official-looking email explaining a fictitious problem, but linked it to an actual internal server migration. The email indicated that due to the migration, there was a problem with the accounts and users would lose account access unless they provided their password. All of the employees attended training less than a month earlier on the importance of not giving out their passwords. Still, over 35 percent of the employees provided their password in response to this email.
Other Assessment Techniques
Other assessment techniques include:
- Baseline reporting. Chapter 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide presented information on baselines, including security baselines and configuration baselines. Many vulnerability assessment tools can perform baseline reviews by comparing current security and configuration data with a baseline to detect changes. These changes can introduce vulnerabilities, so they should be investigated.
- Code review. Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide discussed methods of ensuring that code is secure and mentioned the importance of code review. A code review goes line-by-line through the code and can help detect vulnerabilities, such as race conditions or susceptibility to buffer overflow attacks. Other programmers often perform them as a peer assessment.
- Attack surface review. The attack surface refers to the attack vectors available on a system, such as open ports. By hardening a system, you reduce the attack surface and a vulnerability assessment evaluates a system to determine if it is adequately hardened.
- Architecture review. Security experts review the network architecture by examining the network and looking for potential vulnerabilities. For example, a review may discover that a database server is located within a demilitarized zone (DMZ) and is accessible from the Internet. The review can recommend moving the database server behind an additional firewall.
- Design review. Security experts can also identify vulnerabilities by reviewing designs. This includes reviewing the physical layout of a building, the layout of the network, or how an application interacts with other applications or systems. Security is easier to implement early in the design stage than it is to implement later, and a design review ensures that systems and software are developed properly.
Remember this
A baseline review identifies changes from the standard configuration. Code reviews review software line-by-line to identify potential vulnerabilities such as race conditions or susceptibility to buffer overflow attacks. Design reviews ensure that systems and software are developed properly.
Q. Your organization develops application software, which it sells to other companies for commercial use. Your organization wants to ensure that the software isn’t susceptible to common vulnerabilities, such as buffer overflow attacks and race conditions. What should the organization implement to ensure software meets this standard?
A. Input validation
B. Change management
C. Code review
D. Regression testing
Answer is C. A code review goes line-by-line through the software code looking for vulnerabilities, such as buffer overflows and race conditions.
Input validation helps prevent buffer overflows but not race conditions.
Change management controls help prevent unintended outages from unauthorized changes.
Regression testing is a type of testing used to ensure that new patches do not cause errors.