Technical Vulnerability Assessment Procedure
ISO/IEC 27001 Toolkit: Version 11 ©CertiKit
Technical Vulnerability Assessment Procedure [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document describes how technical vulnerabilities within the IT environment will be proactively detected using appropriate tools.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: • •
A.12 Operations security o A.12.6 Technical vulnerability management ▪ A.12.6.1 Management of technical vulnerabilities A.18 Compliance o A.18.2 Information security reviews ▪ A.18.2.3 Technical compliance review
General guidance This document sets out some of the details of how you might find technical vulnerabilities in your organization using a vulnerability scanner and other techniques. There are several ways to do this and a variety of common tools available, some of which are very good and free (at a certain level of functionality). Be careful when using them as the process of discovering vulnerabilities can itself have an effect on some systems. If you decide to use an external third party to carry out your technical vulnerability assessments, then this procedure will probably not apply. However, depending on resources and skills available you may decide to build an internal capability in vulnerability assessment as this has the benefit of increasing understanding and awareness within your team. In this case you should adapt this procedure to provide additional details specific to the tools you are using.
Version 1
Page 2 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification]
Review frequency Given the pace of change with technical vulnerabilities and associated malware we would recommend that this document is reviewed quarterly and upon significant change to the organization.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Version 1
Page 3 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification]
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification]
Technical Vulnerability Assessment Procedure
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
ISMS-DOC-A12-9
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 15
DATE
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification]
Contents 1
Introduction ............................................................................................................... 8
2
Vulnerability assessment procedure ........................................................................... 9 2.1
Scope definition ........................................................................................................... 9
2.2
Prerequisites................................................................................................................ 9
2.3
Timing and scheduling................................................................................................ 10
2.4
Procedure steps ......................................................................................................... 10
2.4.1
2.4.2 2.4.3 2.4.4
Reconnaissance ......................................................................................................................... 11 Website............................................................................................................................ 11 Google directives ............................................................................................................. 12 Email addresses................................................................................................................ 12 DNS information .............................................................................................................. 12 External scanning ...................................................................................................................... 13 Internal scanning ....................................................................................................................... 13 Reporting .................................................................................................................................. 13
2.5
Error handling ............................................................................................................ 14
2.6
Support and escalation .............................................................................................. 14
2.7
Auditing and logging .................................................................................................. 14
2.8
Monitoring ................................................................................................................ 15
Tables Table 1: Vulnerability assessment tools ...................................................................................... 10 Table 2: Error handling ............................................................................................................... 14 Table 3: Sources of support ........................................................................................................ 14
Version 1
Page 7 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification]
1 Introduction This document sets out a procedure to be used to assess technical vulnerabilities within the IT environment. Its intended audience is IT and information security management and support staff who will implement and maintain the organization’s defences. This procedure is intended to be used by a suitably qualified specialist with a specific brief to assess a defined scope of systems and networks. It must only be used where the written permission of the owner of the systems and networks to be assessed has been obtained. If there is any doubt about this, the procedure should not be performed, and clarification should be sought. This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies and procedures are relevant to this document: • • • •
Change Management Process Software Policy Anti-Malware Policy Technical Vulnerability Management Policy
Version 1
Page 8 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification]
2 Vulnerability assessment procedure WARNING: This procedure is intended to be used by a suitably qualified specialist with a specific brief to assess a defined scope of systems and networks. It must only be used where the written permission of the owner of the systems and networks to be assessed has been obtained. If there is any doubt about this, the procedure should not be performed, and clarification should be sought.
2.1 Scope definition The scope of the vulnerability assessment should be documented in as much detail as possible. According to the areas covered, this detail should include as a minimum: •
•
External assessment o External IP addresses included o External IP addresses specifically excluded o Websites included Internal Assessment o Names of servers included o IP address ranges included o IP addresses specifically excluded o User computers to be assessed
The agreed scope should be signed off by Information Security Manager and Service Manager.
2.2 Prerequisites Before starting the assessment, the following prerequisites must be in place: • • • • •
The assessment scope is fully defined Written permission is provided for the defined scope Assessors are adequately trained on the tools to be used and the vulnerability assessment process Service managers of the systems to be assessed have been informed of the purpose and timing of the exercise The tools to be used are installed and fully updated
Version 1
Page 9 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification] The vulnerability assessment will be carried out using the following set of tools:
TOOL NAME
SUPPLIER
PURPOSE
Kali Linux
Offensive Security
Assessment platform
nmap
Open source
Network scanning
Nessus
Tenable
Vulnerability scanning
NeXpose
Rapid 7
Vulnerability scanning
HTTRACK
Open source
Website copying
The Harvester
Open source
Web reconnaissance
Whois
Open source
Web reconnaissance
nslookup
Open source
DNS reconnaissance
Table 1: Vulnerability assessment tools
These tools should be installed on a computer which has itself been tested for vulnerabilities and is subject to full security protection (e.g. anti-virus, firewall) as per [Organization Name] policies. Detail regarding how to use these tools is not provided in this procedure.
2.3 Timing and scheduling In general, it is desirable to run the scanning aspects of this procedure out of normal business hours although this may be relaxed with the prior agreement of management.
2.4 Procedure steps The procedure consists of the following steps: 1. 2. 3. 4.
Reconnaissance External Scanning Internal Scanning Reporting
Once the initial reconnaissance stage has been completed scanning for vulnerabilities can be carried out. This will be in two stages: 1.
Version 1
External scanning of the network perimeter from outside the organization network
Page 10 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification] 2.
Internal scanning of specific networks, servers and clients from within the network perimeter
Both types of scan are required in order to assess vulnerabilities from external and internal threats. A full report will then be produced. These steps are described in more detail below. Note that the procedure does not include the use of exploitation tools to test whether an identified vulnerability can in fact be exploited successfully. Due to the potential to disrupt business operations, this type of invasive penetration testing must only be carried out by qualified and experienced specialists at the specific request of senior management.
2.4.1 Reconnaissance The first step of the assessment will be to perform reconnaissance activities via the Internet to determine the type and amount of information about the organization freely available to an attacker.
Website Start by reviewing the [Organization Name] website for background information that may be useful in attacking the target. This can either be done online or by taking a copy of the site using HTTrack. The advantage of using HTTrack to copy the site is that further analysis can be performed without attracting attention because the copy exists only on the local computer. The kind of information that may be gleaned might be: • • • • • • • •
Names of key employees Email addresses Phone numbers Office locations Social media links Recent events of interest Partner organizations that may have links into the network Job postings, especially for technical roles – details of the technology used may be quoted in the advert
This information may come in useful later when scanning and using social engineering techniques to assess vulnerabilities.
Version 1
Page 11 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification]
Google directives As well as performing straight searches for information about the organization to build up a fuller picture, use the following Google directives to locate resources that may not appear using a normal search: • • • • •
site: allintitle: inurl: cache: filetype:
(limit search to specific site) (search for keywords in website title) (use to search for admin, login, reset etc.) (show information from the Google cache) (search for specific filetypes e.g. PDF)
More detail on directives is available within the Google Hacking Database (GHDB) at http://www.exploit-db.com.
Email addresses A list of email addresses may be useful to an attacker in social engineering and in guessing the format of network user accounts. Use the Harvester tool in Kali Linux to search for email addresses related to [Organization Name]: theharvester –d[domain name] –l 10 –b google Where [domain name] is the [Organization Name] domain. This command will return the first 10 results and will search Google. Use the same command to also search Bing, Yahoo, LinkedIn and any other relevant sources that may return results.
DNS information Use the WhoIs tool to retrieve information about the DNS servers used by the target domain. This is available from within Kali Linux. Use nslookup (also from Kali) to attempt to obtain further information about the DNS records of the organization.
Version 1
Page 12 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification]
2.4.2 External scanning Scanning for vulnerabilities in the outward-facing perimeter of [Organization Name] network must be carried out from a computer connected directly to the Internet and not connected to the internal network. Using the information provided and that gathered as part of the reconnaissance stage, assess what can be determined about the network from outside. This can be done using the nmap tool in its command line form or one of the GUI front ends to nmap such as Zenmap. Make sure that only the IP addresses within scope are scanned. A picture should be built up of the visible hosts, their names, IP addresses, open ports and services. From this picture, use the Tenable Nessus Vulnerability Scanner to run a scan using an appropriate policy against the targets identified. Make sure you update the plug-ins before running the scans. Record the results of the scan, including warnings and vulnerabilities found.
2.4.3 Internal scanning In order to run an internal scan, you will need to use a computer that is connected to the internal network and has access to the hosts and networks that need to be scanned. Run an nmap scan within the subnet to ensure that the target computers are reachable. Use the Tenable Nessus Vulnerability Scanner to run a scan using an appropriate policy against the targets that are defined to be within the scope of the exercise. Make sure you update the plug-ins before running the scans. Record the results of the scan, including warnings and vulnerabilities found.
2.4.4 Reporting From the information collected as part of the reconnaissance, external scanning and internal scanning stages, a report should be produced which clearly sets out the vulnerabilities found and their severity. The report should include: • • • • • •
Management Summary Assessment Scope Methods and tools used Results Conclusions Prioritised action plan
Version 1
Page 13 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification] The classification of the report should be “Restricted” and should be provided to the sponsor of the assessment only. Technical detail should be included as appendices in order to improve readability.
2.5 Error handling The following common errors may occur during this procedure:
STAGE OF PROCEDURE
ERROR
POSSIBLE CAUSE
RECOMMENDED ACTION
External Scanning
IP address given is not correct
Reboot of router may have caused a new IP address to have been assigned via DHCP
Obtain new IP address; ensure router is not rebooted
Internal Scanning
Host to be tested is not reachable
Host is on a different VLAN to the testing computer
Connect testing computer to correct VLAN
Table 2: Error handling
2.6 Support and escalation If an error occurs which cannot be corrected using this procedure, support should be obtained using the following information:
SUPPORT PERSON
ROLE
PHONE NUMBER
HOURS AVAILABLE
John Smith
Senior Vulnerability Assessor
Xxx xxx xxxx
09:00 to 17:30 Monday to Friday
Tenable support desk
Nessus support
Xxx xxx xxxx
09:00 to 17:30 Monday to Friday
Table 3: Sources of support
2.7 Auditing and logging Records should be kept of all activities carried out as part of the vulnerability assessment, including names, dates and times.
Version 1
Page 14 of 15
[Insert date]
Technical Vulnerability Assessment Procedure [Insert classification]
2.8 Monitoring All scans should be monitored in real time. Scans should not be left to run unattended overnight or over a weekend or scheduled at such times.
Version 1
Page 15 of 15
[Insert date]