Study Record/Cybersecurity

[HTB Academy] Vulnerability Assessment Notes (1)

Sungyeon Kim 2025. 1. 16. 00:36

1. Vulnerability Assessment vs Penetration Tests

- Vulnerability assessment look for vulnerabilities in networks without simulating cyber attacks. All companies should perform vulnerability assessments every so often.

- A wide variety of security standards could be used for a vulnerability assessment, such as GDPR compliance or OWASP web application security standards.

- Penetration tests evaluate the security of different assets and the impact of the issues present in the environment.

- Pentests should only be performed after some vulnerability assessments have been conducted successfully and with fixes.

 

2. Asset Management

- When an organization needs to plan their cybersecurity strategy, they should start by creating an inventory of their data assets. If you want to protect something, you must first know what you are protecting. Then you can start the process of asset management. This is a key concept in defensive security.

 

1) Application and System Inventory

- Data assets include:

(1) All data stored on-premises. HDDs and SSDs in endpoints (PCs and mobile devices), HDDs & SSDs in servers, external drives in the local network, optical media (DVDs, Blu-ray discs, CDs), flash media (USB sticks, SD cards). Legacy technology may include floppy disks, ZIP drives (a relic from the 1990s), and tape drives.

(2) All of the data storage that their cloud provider possesses

(3) All data stored within various Software-as-a-Service (SaaS) applications. Think of online services such as Google Drive, dropbox, Microsoft Teams, Apple icloud

(4) All of the applications a company needs to use to conduct their usual operation and business

(5) All of a company's on-premises computer networking devices. 

 

3. Penetration Testing Standards

- Penetrations tests should not be performed without any rules or guidelines.

 

1) PTES

- Penetration Testing Execution Standard

- It can be applied to all types of penetration tests

 

(1) Pre-engagement Interactions

(2)  Intelligence Gathering

(3) Threat Modeling

(4) Vulnerability Analysis

(5) Exploitation

(6) Post Exploitation

(7) Reporting

 

2) OSSTMM

- Open Source Security Testing Methodology Manual

- It is divdied into five different channels for five different areas of pentesting

 

(1) Human Security (human beings are subject to social engineering exploits

(2) Physical Security

(3) Wireless Communications (inlcuding but not limited to technologies like WiFi and Bluetooth)

(4) Telecommunications

(5) Data Networks

 

3) NIST

- National Institute of Standards and Technology

 

(1) Planning

(2) Discovery

(3) Attack

(4) Reporting

 

4) OWASP

- Open Web Application Security Project

 

4. CVSS

- Common Vulnerability Scoring System

- The CVSS is often used together with the so-called Microsoft DREAD.

- DREAD is a risk assessment system.

 

1) Base Metric Group

(1) Exploitability Metrics

- Attack Vector

- Attack Complexity

- Privileges Required

- User Interaction

 

(2) Impact Metrics

 

2) Temporal Metric Group

(1) Exploit Code Maturity

- This metric represents the probability of an issue being exploited based on ease of exploitation techniques.

- There are various metric values associated with this metric:

a. Not Defined: Skipping this metric

b. High: An exploit is consistently working for the issue and is easily identifiable with automated tools

c. Functional: There is exploit code available to the public

d. Proof-of-Concept: PoC exploit code is available but would require changes for an attacker to exploit the issue successfully

e. Unproven

 

(2) Remediation Level

- It is used to identify the prioritization of a vulnerability.

- The metric values associated with this metric include:

a. Not Defined

b. Unavailable: There is no patch available for the vulnerability

c. Workaround: Unofficial solution released until an official patch by the vendor

d. Temporary Fix: An official vendor has provided a temporary solution but has not released a patch yet for the issue.

e. Official Fix: A vendor has released an official patch for the issue for the public.

 

(3) Report Confidence

- the validation of the vulnerability and how accurte the technical details of the issue are.

- The metric values assoicated with this metric include:

a. Not Defined

b. Confirmed: There are various sources with detailed information confirming the vulnerability

c. Reasonable: Sources have published information about the vulnerability. However, there is no complete confidence that someone would achieve the same result due to missing details of reproducing the exploit for the issue.

d. Unknown

 

3) Environmental Metric Group

- The significance of the vulnerability of an organization, taking into account the CIA triad.

 

(1) Modified Base Metrics

- the metrics that can be altered if the affected organization deems a more significant risk in Confidentiality, Integrity, and Availability to their organization.

 

a. Not Defined

b. High: One of the elements of the CIA triad would have astronomical effects on the overall organization and customers

c. Medium

d. Low