In this 2nd installment of the ransomware prevention series we cover vulnerability scanning and analysis. Part 1 - DNS filtering is here or here for the entire series of posts.

So without futher ado, repeat after me:

Vulnerability scanning and analysis is not the same as patch management.

Vulnerability scanning and analysis is not the same as patch management.

Vulnerability scanning and analysis is not the same as patch management.


(Patch management is a later post)

OK, now we have that out of the way let me explain why they are not the same. Think of it this way: Not everything that is vulnerable can be mitigated (notice I didn't say patched....). Say what now Darren? Let's take a simple example, Windows 2003 Server. Yes they still exist. In your patch management software a Windows 2003 Server will most likely be shown as fully patched and hence give you warm fuzzy feelings that it is "safe", because it is "safe" insofar as you have every patch Microsoft has issues installed on said server. But this does not mean a fully patched Windows 2003 Server is protected from all known vulnerabilities because it's not. In fact just being end of life (it went EOL in July of 2015) makes it a vulnerability simply due to the fact that it no longer receives patches. It's not just Windows. Ubuntu Linux 14.04 LTS went EOL in April 2019. Again, any Ubuntu 14's you may have are probably fully patched. But only for Ubuntu 14 and only up to April 2019 (FWIW Ubuntu 16 LTS went EOL in April 2021). It's not just OSes, what about old, old versions of Java (well, any Java really)? Flash? Office 2010? All may show as fully patched. See the difference here:

Vulnerability scanning and analysis is not the same as patch management.


The 2nd reason that vulnerability scanning and analysis is not the same as patch management is that the latter almost always *only* looks to see if the patch is installed. The former (usually) checks it's active. There are many, many Windows updates that you dutifully install that also require administrators to add a GPO or change a registry key in order to make the patch active. A good example of this is MS
KB3000483.

The 3rd reason that vulnerability scanning and analysis is not the same as patch management is that the latter can scan more than just endpoints with Windows, Linux and MacOS. Copiers, switches, routers, et al are probably no where to be found in your patch management solution, Chances are they are in your vulnerability scanning system. Along with their issues (such as
Ripple20 present a whole host of IoT and MFC devices).

It is worth noting that the world + dog gets very excited by esoteric zero day vulnerabilities that require root or admin access and local logon and the wind to be from ESE. Sure you should be concerned about that (and know the impacts to your organization and patch or otherwise mitigate), but if you don't have a vulnerability management solution in place you have a lot more to worry about than what the press tells you to worry about. The constant appearance of older exploits (so not new, and *definitely* not zero day any longer) in the annual top 10's of active exploits is filled with 2 to 3 year old vulnerabilities (some date back to 2014 and beyond!!!) that can be mitigated, but for some unknown reason (negligence and/or inexperience being my best guess) have been left unmitigated by the attacked organizations. Indeed in 2020 only two (yes two) of the top 10 exploited vulnerabilities have CVE's dated in 2020, meaning they were uncovered and reported in 2020!!! Two. See
the CISA Top 10 Routinely Exploited Vulnerabilities and Security Intelligence's Top 10 Cybersecurity Vulnerabilities of 2020 for more details on this. SMBv1 is also another common vulnerability, so big in fact Microsoft have completely removed it from Server 2019 onwards. You should do the same for everything < Server 2019. SMBv1 being active would not show in patch management because:

Vulnerability scanning and analysis is not the same as patch management.


From a scanning perspective scan your most public attack area more often. Then split you your network segments into scannable chunks. Some solutions can have multiple scanners on different subnets to increase speed of scans and reduce network traffic. Also warn your security folks and always have permission to scan said networks.

Once you have a vulnerability list from your scan(s) (yes, it will be large list) you can now start to mitigate the risks or choose to live with them based on some sort of criteria you set (severity, exploitability, etc). But at least you know, so if you choose to leave a Windows 2000 Server up and running you may take extra precautions around it (because not everything has a patch or mitigation, and really some shit just needs to be retired and thrown out).

Here's an example of the older OpenVAS of an actual scan back in April 2020 with lots of actionable intelligence and some false positives (those top 3 would be very, very important were those servers open to the world via SSH, they are not). In this example I would probably choose to prioritize mitigation of items >5.0 in severity. The location of the scanned networks may also play a role in mitigation priority, for example I'd almost always prioritize mitigating a DMZ subnet over a LAN subnet (hopefully for obvious reasons):


Image:Ransomware Prevention Part 2 - Vulnerability Scanning

So where do you get started with vulnerability scanning? If I'd had wrote this a year ago I would have said the free OpenVAS. They used to have a free virtual appliance you could download and scan away. Alas they have moved on from that to the Greenbone Community Edition/Greenbone Vulnerability Manager and there is no longer an appliance. You have to install it from scratch, I have tried several times (both CentOS and Ubuntu) with no success. Still it does come as a Kali Linux add-on so that's my next course of action. If you know of an appliance version of GCE/GVM leave a comment. So for now it's probably going to be Kali or Rapid7's Nexpose Community Edition if you want to get started with $0 down.

Rapid7's
Nexpose Community Edition is good for 1 year but can be re-upped each year. This is now my free, go to solution.

There is also
Nessus Essentials (free for 16 IP addresses per scanner) that also allows you to see the impressive results that Nessus/Tenable can deliver.

From a paid perspective you have a plethora a choices, all of the above have paid options which usually add a host of features such as trend analysis and reporting. The one I'm most familiar with is Tenable.sc which is Nessus fronted by a reporting engine. Here's the Tenable executive summary:


Image:Ransomware Prevention Part 2 - Vulnerability Scanning

Every vulnerability has a rating and lists if it is known to be exploitable. Most vendors also have a propitary score beyond CVE/CVS that allows you to expend your effort on actually known in-the-wild exploits:

Image:Ransomware Prevention Part 2 - Vulnerability Scanning

It also includes information on how to fix most issues:


Image:Ransomware Prevention Part 2 - Vulnerability Scanning

Again, it is very unlikely the above vulnerability (insecure Windows Service permissions) would ever be caught by a patch management solution. Because, you guessed it:

Vulnerability scanning and analysis is not the same as patch management.


So there you have it, vulnerability scanning will ferret out all the (potentially) bad things hanging around on your network. As to if you fix them, well only you can answer that with some testing. But being forewarned is forearmed.
Darren Duke   |   May 19 2021 02:41:00 AM   |    ransomware  security    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (0)

No Comments Found