Technical Vulnerability Assessment Procedure
ISO/IEC 27001 Toolkit Version 7 ŠCertiKit 2016
Technical Vulnerability Assessment Procedure [Insert Classification]
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This document describes how technical vulnerabilities within the IT environment will be proactively detected using appropriate tools.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: Annex A A.12 Operations security A.12.6 Technical vulnerability management A.12.6.1 Management of technical vulnerabilities
General Guidance This document sets out some of the details of how you might find technical vulnerabilities in your organization using a vulnerability scanner and other techniques. There are a number of ways to do this and a variety of common tools available, some of which are very good and free (at a certain level of functionality). Be careful when using them as the process of discovering vulnerabilities can itself have an effect on some systems. If you decide to use an external third party to carry out your technical vulnerability assessments then this procedure will probably not apply. However depending on resources and skills available you may decide to build an internal capability in vulnerability assessment as this has the benefit of increasing understanding and awareness within your team. In this case you should adapt this procedure to provide additional details specific to the tools you are using.
Review Frequency Given the pace of change with technical vulnerabilities and associated malware we would recommend that this document is reviewed quarterly and upon significant change to the organization.
Version 1
Page 1 of 13
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
Toolkit Version Number ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016.
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation
Version 1
Page 2 of 13
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 13
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
[Replace with your logo]
Technical Vulnerability Assessment Procedure
Document Classification: Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 13
[Insert Classification] ISMS-DOC-A12-9 1 [Insert date]
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 13
Date
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
Contents 1
INTRODUCTION ....................................................................................................................................... 7
2
VULNERABILITY ASSESSMENT PROCEDURE................................................................................ 8 2.1 SCOPE DEFINITION .................................................................................................................................... 8 2.2 PREREQUISITES ......................................................................................................................................... 8 2.3 TIMING AND SCHEDULING......................................................................................................................... 9 2.4 PROCEDURE STEPS .................................................................................................................................... 9 2.4.1 Reconnaissance............................................................................................................................. 10 2.4.2 External Scanning ......................................................................................................................... 11 2.4.3 Internal Scanning.......................................................................................................................... 11 2.4.4 Reporting ...................................................................................................................................... 12 2.5 ERROR HANDLING .................................................................................................................................. 12 2.6 SUPPORT AND ESCALATION .................................................................................................................... 13 2.7 AUDITING AND LOGGING ........................................................................................................................ 13 2.8 MONITORING........................................................................................................................................... 13
List of Tables TABLE 1 - VULNERABILITY ASSESSMENT TOOLS ........................................................................................................... 9 TABLE 2 - ERROR HANDLING ................................................................................................................................... 12 TABLE 3 - SOURCES OF SUPPORT ............................................................................................................................. 13
Version 1
Page 6 of 13
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
1 Introduction This document sets out a procedure to be used to assess technical vulnerabilities within the IT environment. Its intended audience is IT and information security management and support staff who will implement and maintain the organization’s defences. This procedure is intended to be used by a suitably qualified specialist with a specific brief to assess a defined scope of systems and networks. It must only be used where the written permission of the owner of the systems and networks to be assessed has been obtained. If there is any doubt about this, the procedure should not be performed and clarification should be sought. This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies and procedures are relevant to this document:
Change Management Process Software Policy Anti-Malware Policy Technical Vulnerability Management Policy
Version 1
Page 7 of 13
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
2 Vulnerability Assessment Procedure WARNING: This procedure is intended to be used by a suitably qualified specialist with a specific brief to assess a defined scope of systems and networks. It must only be used where the written permission of the owner of the systems and networks to be assessed has been obtained. If there is any doubt about this, the procedure should not be performed and clarification should be sought. 2.1
Scope Definition
The scope of the vulnerability assessment should be documented in as much detail as possible. According to the areas covered, this detail should include as a minimum:
External assessment o external IP addresses included o external IP addresses specifically excluded o Websites included Internal Assessment o Names of servers included o IP address ranges included o IP addresses specifically excluded o User computers to be assessed
The agreed scope should be signed off by Information Security Manager and Service Manager. 2.2
Prerequisites
Before starting the assessment the following prerequisites must be in place:
The assessment scope is fully defined Written permission is provided for the defined scope Assessors are adequately trained on the tools to be used and the vulnerability assessment process Service managers of the systems to be assessed have been informed of the purpose and timing of the exercise The tools to be used are installed and fully updated
The vulnerability assessment will be carried out using the following set of tools: Tool Name Kali Linux nmap Nessus NeXpose
Version 1
Supplier Offensive Security Open source Tenable Rapid 7
Page 8 of 13
Purpose Assessment platform Network scanning Vulnerability scanning Vulnerability scanning
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
Tool Name HTTRACK The Harvester Whois nslookup
Supplier Open source Open source Open source Open source
Purpose Website copying Web reconnaissance Web reconnaissance DNS reconnaissance
Table 1 - Vulnerability assessment tools
These tools should be installed on a computer which has itself been tested for vulnerabilities and is subject to full security protection (e.g. anti-virus, firewall) as per [Organization Name] policies. Detail regarding how to use these tools is not provided in this procedure. 2.3
Timing and Scheduling
In general it is desirable to run the scanning aspects of this procedure out of normal business hours although this may be relaxed with the prior agreement of management. 2.4
Procedure Steps
The procedure consists of the following steps: 1. 2. 3. 4.
Reconnaissance External Scanning Internal Scanning Reporting
Once the initial reconnaissance stage has been completed scanning for vulnerabilities can be carried out. This will be in two stages: 1. External scanning of the network perimeter from outside the organization network 2. Internal scanning of specific networks, servers and clients from within the network perimeter Both types of scan are required in order to assess vulnerabilities from external and internal threats. A full report will then be produced. These steps are described in more detail below. Note that the procedure does not include the use of exploitation tools to test whether an identified vulnerability can in fact be exploited successfully. Due to the potential to disrupt business operations, this type of invasive penetration testing must only be carried out by qualified and experienced specialists at the specific request of senior management.
Version 1
Page 9 of 13
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
2.4.1
Reconnaissance
The first step of the assessment will be to perform reconnaissance activities via the Internet to determine the type and amount of information about the organization freely available to an attacker. 2.4.1.1
Website
Start by reviewing the [Organization Name] website for background information that may be useful in attacking the target. This can either be done online or by taking a copy of the site using HTTrack. The advantage of using HTTrack to copy the site is that further analysis can be performed without attracting attention because the copy exists only on the local computer. The kind of information that may be gleaned might be:
Names of key employees Email addresses Phone numbers Office locations Social media links Recent events of interest Partner organizations that may have links into the network Job postings, especially for technical roles – details of the technology used may be quoted in the advert
This information may come in useful later when scanning and using social engineering techniques to assess vulnerabilities. 2.4.1.2
Google Directives
As well as performing straight searches for information about the organization to build up a fuller picture, use the following Google directives to locate resources that may not appear using a normal search:
site: allintitle: inurl: cache: filetype:
(limit search to specific site) (search for keywords in website title) (use to search for admin, login, reset etc.) (show information from the Google cache) (search for specific filetypes e.g. PDF)
More detail on directives is available within the Google Hacking Database (GHDB) at http://www.exploit-db.com.
Version 1
Page 10 of 13
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
2.4.1.3
Email Addresses
A list of email addresses may be useful to an attacker in social engineering and in guessing the format of network user accounts. Use The Harvester tool in Kali Linux to search for email addresses related to [Organization Name]: theharvester –d[domain name] –l 10 –b google Where [domain name] is the [Organization Name] domain. This command will return the first 10 results and will search Google. Use the same command to also search Bing, Yahoo, LinkedIn and any other relevant sources that may return results. 2.4.1.4
DNS Information
Use the WhoIs tool to retrieve information about the DNS servers used by the target domain. This is available from within Kali Linux. Use nslookup (also from Kali) to attempt to obtain further information about the DNS records of the organization. 2.4.2
External Scanning
Scanning for vulnerabilities in the outward-facing perimeter of [Organization Name] network must be carried out from a computer connected directly to the Internet and not connected to the internal network. Using the information provided and that gathered as part of the reconnaissance stage, assess what can be determined about the network from outside. This can be done using the nmap tool in its command line form or one of the GUI front ends to nmap such as Zenmap. Make sure that only the IP addresses within scope are scanned. A picture should be built up of the visible hosts, their names, IP addresses, open ports and services. From this picture, use the Tenable Nessus Vulnerability Scanner to run a scan using an appropriate policy against the targets identified. Make sure you update the plugins before running the scans. Record the results of the scan, including warnings and vulnerabilities found. 2.4.3
Internal Scanning
In order to run an internal scan you will need to use a computer that is connected to the internal network and has access to the hosts and networks that need to be
Version 1
Page 11 of 13
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
scanned. Run an nmap scan within the subnet to ensure that the target computers are reachable. Use the Tenable Nessus Vulnerability Scanner to run a scan using an appropriate policy against the targets that are defined to be within the scope of the exercise. Make sure you update the plug-ins before running the scans. Record the results of the scan, including warnings and vulnerabilities found. 2.4.4
Reporting
From the information collected as part of the reconnaissance, external scanning and internal scanning stages, a report should be produced which clearly sets out the vulnerabilities found and their severity. The report should include:
Management Summary Assessment Scope Methods and tools used Results Conclusions Prioritised action plan
The classification of the report should be “Restricted” and should be provided to the sponsor of the assessment only. Technical detail should be included as appendices in order to improve readability. 2.5
Error Handling
The following common errors may occur during this procedure: Stage of Procedure External Scanning
Internal Scanning
Error
Possible Cause
IP address given is Reboot of router not correct may have caused a new IP address to have been assigned via DHCP Host to be tested Host is on a is not reachable different VLAN to the testing computer
Recommended Action Obtain new IP address; ensure router is not rebooted
Connect testing computer to correct VLAN
Table 2 - Error handling
Version 1
Page 12 of 13
[Insert date]
Technical Vulnerability Assessment Procedure [Insert Classification]
2.6
Support and Escalation
If an error occurs which cannot be corrected using this procedure, support should be obtained using the following information: Support Person John Smith
Tenable support desk
Role Senior Vulnerability Assessor Nessus support
Phone Number Xxx xxx xxxx
Hours of availability
Xxx xxx xxxx
09:00 to 17:30 Monday to Friday
09:00 to 17:30 Monday to Friday
Table 3 - Sources of support
2.7
Auditing and Logging
Records should be kept of all activities carried out as part of the vulnerability assessment, including names, dates and times. 2.8
Monitoring
All scans should be monitored in real time. Scans should not be left to run unattended overnight or over a weekend or scheduled at such times.
Version 1
Page 13 of 13
[Insert date]