CSOL500 Module 2 Assignment: Vulnerability Assessment Plan Marc Leeka

Introduction

This is a sample Vulnerability Assessment for a small company.

Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are
generally for clients who already understand they are, not where they want to be in terms of
security. The customer already knows they have issues and simply need help identifying and
prioritizing them.1 More is better in this assessment as the goal is to discover as many
vulnerabilities as possible, prioritize them in terms of how likely and when the vulnerability
might be exploited, predict consequences if such attacks were to be successful, and present
suggestions to remediate, reduce and mitigate the risks that have been identified.

In most instances, the vulnerability assessment takes minimal effort2 and white box tools should
be used to simplify and accelerate the assessment completion.

Difficulty
Use Cases Tools
(1-5, 5=hardest)
Scan your internal network for missing Nessus, SAINT,
Vulnerability 2 vendor patches OpenVAS, Nikto,
Assessment Minimal effort Scan your external network for WebInspect,
vulnerabilities, such as Heartbleed Netsparker and Qualys

Although a vulnerability assessment can be narrowly restricted to a single item such as one
firewall, assessments typically span three broad areas:
Infrastructure Security (the internal and external network, servers, workstations, wireless
access, firewalls, host and network devices).
Application Security (software, mobile applications, database and middleware).
Social Engineering (the weakest link are humans).

Occasionally an assessment will include Physical Security.

Vulnerability analysis consists of four steps:

Step One: discovering assets; defining and classifying network or system resources.
Step Two: assigning relative levels of importance to the resources.
Step Three: Identifying potential threats to each resource.
Step Four: Defining and implementing ways to minimize the consequences if an attack
occurs, and developing a strategy to deal with the most serious potential problems first.

1
Miessler, D. (2015, August). The Difference Between a Vulnerability Assessment and a Penetration Test.
Retrieved January 31, 2016, from https://danielmiessler.com/essays/vulnerability_assessment_penetration_test/
2
Martin-Vegue, T. (2015, May 13). What's the difference between a vulnerability scan, penetration test and a risk
analysis? Retrieved January 31, 2016, from http://www.csoonline.com/article/2921148/network-security/whats-the-
difference-between-a-vulnerability-scan-penetration-test-and-a-risk-analysis.html

1
CSOL500 Module 2 Assignment: Vulnerability Assessment Plan Marc Leeka

Vulnerability assessment is considered by many to be the key technology component of

vulnerability management. The Computer Security Handbook example is a test, store the test
results, compare the test results against a reference, and report the differences. This is the
technical brother of vulnerability management: inventory, focus, assess, respond.3

Assignment Plan

For my vulnerability assessment on the information system at my company, I preceded linearly

using spreadsheet templates adapted from the annual security assessment plan found at
https://www.fedramp.gov/resources/templates-3/. I found additional helpful templates at
http://website-box.net/se-keyword/security+assessment+template. Although both resources were
clearly labeled vulnerability assessment, both included penetration testing results and
extensive technical references.

This vulnerability assessment scope will be limited to physical hardware that is attached to the
internal network, software used at the company and external connection to the network. This is a
manageable goal that allows me to try VASs, prioritize potential threats and offer quick and
inexpensive remediation. In keeping with what I have learned from decades working with small
owners, they will ask four questions: What is wrong; what do you have to do to fix it; how long
will it take and what will it cost? Small businesses are most often hit hard by simple viruses or
equipment failure, not sophisticated external attacks. I am not discounting the possibility or
seriousness of external attacks, however. I am confident that fixing the small stuff leads to the
conversation where we may fix the big, expensive stuff.

3
Bosworth, S., Kabay, M. E., & Whyne, E. (2014). Computer Security Handbook (Vol. 6, p. 462). New York: John
Wiley & Sons.

2
CSOL500 Module 2 Assignment: Vulnerability Assessment Plan Marc Leeka

Step One: discovering assets; defining and classifying network or system resources

I inventoried assets using Nessus, downloaded from www.tenable.com. Other VASs include
SAINT, OpenVAS, Nikto, WebInspect, Netsparker and Qualys (extensively reviewed in the
SANS.org article provided in the assignment readings).

I limited the network scan to 192.168.4.1-254. There is only one subnet at Computer Physicians
Inc.

I found the advantage of the Nessus software over Linux resources to be the all-in-one ease of
use to identify items on the network, some brief description, operating system and vulnerability
scanning (software compliance and configuration).

The scan did not include software applications that run on the workstations. This company has
only a handful of applications, and all workstations are relatively similar. I am previously
familiar with Secunia Personal Software Inspector (PSI); a trial copy is available at
http://www.flexerasoftware.com/enterprise/products/software-vulnerability-
management/personal-software-inspector/. I did not run that scan.

Within the network I was credentialed.

The VAS ran quickly on my small network but it was very intrusive. In the future I would not
run it during business hours.

3
CSOL500 Module 2 Assignment: Vulnerability Assessment Plan Marc Leeka

Results of Step One

The Nessus scan created an inventory of IP addresses. I organized the hardware by operating
system and function.

Unique ID Operating System Function

192.168.4.1 firewall

192.168.4.4 DOLAND2 Windows Server 2000 Former RDP Terminal Server

192.168.4.6 CPIVM-2012 Windows Server 2012 VM host to 4 servers

192.168.4.7 CPIDC2012 Windows Server 2012 VM-1 Domain Controller

192.168.4.12 CPI2k10 Windows Server 2008 VM-2 Exchange post office

192.168.4.19 SHAREPOINT Windows Server 2003 GFI fax server

192.168.4.25 DOLAND2k8 Windows Server 2008 VM-3 Cloud backup server

192.168.4.34 CPINAS03 Linux Local NAS backup device

192.168.4.103 DJBASH Windows 7 employee workstation

192.168.4.109 VM-2X Windows Server 2012 VM-4 2X host server

192.168.4.117 CP12-PEARL Windows 7 employee workstation

192.168.4.134 PM10-CHRIS Windows 7 employee workstation

192.168.4.137 COMPPHYS Windows 7 employee workstation

192.168.4.141 CP09-MARC Windows 7 employee workstation

192.168.4.251 LaserJet 4050 Shared printer

I inserted this inventory into my spreadsheet and began adding new items, columns and
descriptions.

Additional tabs on the spreadsheet were populated from

https://www.owasp.org/index.php/Testing_Checklist.

4
CSOL500 Module 2 Assignment: Vulnerability Assessment Plan Marc Leeka

Step Two: assigning relative levels of importance to the resources.

Spreadsheet assets are assigned labels: Inconsequential, Low, Medium, High.

Step Three: Identifying potential threats to each resource.

See spreadsheet.

5
 Last Importance to Importance
Category Asset Description operations
Vulnerabilities Risk Remediation Immediate Resources Additional Tools / Risk
Modified
Software Antivirus Symantec Endpoint General software 10/14/2015 Missing patches Scan for updates and missing patches Symantec online updates Nessus scan for missing patches
Protection 12.6 H L http://www.symantec.com/security_response/de www.tenable.com; SAINT, OpenVAS, Nitko M
finitions/download/detail.jsp?gid=sep
Software Office MS Office 2010 General software 7/7/2011 Missing patches Scan for updates and missing patches Microsoft online updates Nessus scan for missing patches
M L www.tenable.com; SAINT, OpenVAS, Nitko L

Software Office QuickBooks 2015 General software 10/15/2014 Missing patches Scan for updates and missing patches Intuit online updates Nessus scan for missing patches
M L http://support.quickbooks.intuit.com www.tenable.com; SAINT, OpenVAS, Nitko L

Software Cloud AutoTask General software 1/31/2016 H Missing patches L updated daily www.autotask.net M
Hardware Firewall 192.168.4.1 firewall Missing firmware Scan for new firmware
H M www.mysonicwall.com H
updates
Hardware Server 192.168.4.4 Windows Server 2000 Former RDP Terminal Server Missing patches Scan for updates and missing patches None. End of Life. FileHippo or Personal Software Inspector
I H L
DOLAND2
Hardware Server 192.168.4.6 CPIVM- Windows Server 2012 VM host to 4 servers Missing patches Scan for updates and missing patches windows.microsoft.com/en-us/windows/support FileHippo or Personal Software Inspector
H L M
2012
Hardware Server 192.168.4.7 Windows Server 2012 VM-1 Domain Controller Missing patches Scan for updates and missing patches windows.microsoft.com/en-us/windows/support FileHippo or Personal Software Inspector
H L M
CPIDC2012
Hardware Server 192.168.4.12 Windows Server 2008 VM-2 Exchange post office Missing patches Scan for updates and missing patches windows.microsoft.com/en-us/windows/support FileHippo or Personal Software Inspector
H L M
CPI2k10
Hardware Server 192.168.4.19 Windows Server 2003 GFI fax server Missing patches Scan for updates and missing patches None. End of Life.
L H L
SHAREPOINT
Hardware Server 192.168.4.25 Windows Server 2008 VM-3 Cloud backup server Missing patches Scan for updates and missing patches windows.microsoft.com/en-us/windows/support FileHippo or Personal Software Inspector
M L L
DOLAND2k8
Hardware NAS 192.168.4.34 Linux Local NAS backup device Missing firmware Scan for new firmware windows.microsoft.com/en-us/windows/support FileHippo or Personal Software Inspector
L L L
CPINAS03 updates
Hardware Workstn 192.168.4.103 Windows 7 employee workstation Missing patches Scan for updates and missing patches windows.microsoft.com/en-us/windows/support FileHippo or Personal Software Inspector
L L L
DJBASH
Hardware Server 192.168.4.109 VM-2X Windows Server 2012 VM-4 2X host server L Missing patches L Scan for updates and missing patches windows.microsoft.com/en-us/windows/support FileHippo or Personal Software Inspector L
Hardware Workstn 192.168.4.117 CP12- Windows 7 employee workstation Missing patches Scan for updates and missing patches windows.microsoft.com/en-us/windows/support FileHippo or Personal Software Inspector
L L L
PEARL
Hardware Workstn 192.168.4.134 PM10- Windows 7 employee workstation Missing patches Scan for updates and missing patches windows.microsoft.com/en-us/windows/support FileHippo or Personal Software Inspector
L L L
CHRIS
Hardware Workstn 192.168.4.137 Windows 7 employee workstation Missing patches Scan for updates and missing patches windows.microsoft.com/en-us/windows/support FileHippo or Personal Software Inspector
L L L
COMPPHYS
Hardware Workstn 192.168.4.141 CP09- Windows 7 employee workstation Missing patches Scan for updates and missing patches windows.microsoft.com/en-us/windows/support FileHippo or Personal Software Inspector
L L L
MARC
Hardware Printer 192.168.4.251 Printer 2002-10-11 Missing firmware None. End of Life.
L L L
LaserJet 4050 updates
Data Financial Data Financial records: billing, daily Loss by deletion; Backup daily Intronis unattended cloud backup Daily backup to local NAS device
payroll, taxes H improper modification H H

Data General Data Word processing, daily Loss by deletion; Backup daily Intronis unattended cloud backup Daily backup to local NAS device
spreadsheets, graphics H improper modification M H

Data Email Data Electronic mail daily Loss by deletion; Backup daily Intronis unattended cloud backup Daily backup to local NAS device
H improper modification H H

Hardware ALL Theft Secure office when only 1 person

M L L
DEVICES present.
CSOL500 Module 2 Assignment: Vulnerability Assessment Plan Marc Leeka

Step Four: Defining and implementing ways to minimize the consequences if an attack
occurs, and developing a strategy to deal with the most serious potential problems first.

This is not a penetration assessment, therefore the Nessus software did an adequate job of
generating an inventory of assets, saving the information and comparing it to a current
configuration standard. The final report follows. The detailed CSV information will be provided
to technical experts at Computer Physicians Inc. to make configuration changes to the main
servers. The weakest asset the one with the greatest critical vulnerabilities is a Server 2000
that will be retired. 90% of the remediation is server and workstation OS updates. After all issues
have been reviewed, we will run the Nessus assessment again to compare.

7
CSOL500 Module 2 Assignment: Vulnerability Assessment Plan Marc Leeka

8
CSOL500 Module 2 Assignment: Vulnerability Assessment Plan Marc Leeka

Executive Summary

Computer Physicians Inc. has a small business network consisting of multiple servers
responsible for holding the companys work data and accounting data. The servers are
also responsible for collecting and storing the company email, and faxes can be sent
electronically to and from the servers. The companys website is maintained at another
location by another company.

The network is protected by a hardware firewall device and antivirus software.

There are many workstations and printers. The network also consists of other
equipment that connects the pieces.

Based on our analysis, the security risks for this network are LOW.

The assessment tools we utilized identified 188 vulnerabilities: most were minor and
almost all can be remediated by the current IT staff within a short period. The estimated
cost of remediating the vulnerabilities is minor.

The value of the work and accounting data stored at Computer Physicians Inc. is vastly
greater than the estimated costs to reduce vulnerabilities identified in this audit.
Furthermore, Computer Physicians Inc. may be contractually obligated to safeguard
portions of the data on these computers. Failure to adequately safeguard the data could
result in loss of clients and legal repercussions. The consequences of these risks due to
failure to maintain confidential and valuable data are far greater than the cost to secure
the data. We recommend Computer Physicians Inc. keep dual backups and test
backups semi-annually.

Earthquake, fire or theft of the computer servers would interrupt Computer Physicians
Inc. for 24-48 until the environment was restored. The data to restore operations is
stored onsite and offsite in case of these emergencies.