As the cybersecurity field continues to evolve and become more specialized, even experienced IT professionals may struggle to identify vulnerabilities in their networks, applications, and systems. For those who aren't IT experts, vulnerability reports can be overwhelming to read and comprehend.
The truth is that vulnerability reports are meant to guide you in addressing the most serious security issues first. While the underlying subject may be complex and network, server, and web application security are critical, vulnerability reports – whether generated from a scan or a full vulnerability assessment – are intended to be acted upon.
A typical vulnerability scan is conducted in two phases:
1) Scanning – Using automated tools, scanning discovers potential vulnerabilities in specified assets, such as firewalls, routers, switches, servers, and applications. Scanning looks for open ports and other security issues, and try to discover any potential vulnerabilities, but it does not attempt to exploit those vulnerabilities to examine their behavior.
2) Reporting – Containing the discovered vulnerabilities, this deliverable is especially useful for summarizing findings to management, detailing findings and mitigation recommendations, and tracking progress during the remediation process using a spreadsheet that includes the following information:
- Scanned host list
- Port scan details
- Vulnerability name and description
- Solution/remediation information
A full vulnerability assessment generates threat intelligence from open-source intelligence (OSINT) available about an organization, and enumerates the network to discover ports, services, and potential attack vectors for use during testing. The reconnaissance findings are then validated to determine whether a vulnerability exists and is actionable. However, this assessment differs from penetration testing in that discovered vulnerabilities are not exploited as part of an attack plan.
Let’s breakdown a vulnerability assessment report and review the types of information found in each section.
Key Components of a Vulnerability Assessment Report
A full vulnerability assessment report typically consists of the following elements:
- Executive Summary
- Assessment Overview
- Results and Mitigation Recommendations
Each of these sections contains key information that helps you understand the vulnerability discovery and validation results, and the actions required to mitigate security issues.
I. Executive Summary
The executive summary provides a high-level overview of the scan’s findings. It provides a glance as to how well or how poorly the systems and applications performed during the scan by highlighting the overall risk level to the organization based on the number and severity of the vulnerabilities discovered (critical, high, medium, or low). Typical sections include:
- Objectives Summary
- Assessment Scope
- Assessment Findings Summary
- Testing Narrative
- Remediation Summary
The executive summary clearly illustrates the number and severity of discovered issues without bogging the reader down with a lot of detail on those individual issues. Instead, discovered vulnerabilities are enumerated graphically, with the systems in scope clearly identified: the names of servers scanned, dates and times of the scan, and other pertinent information in identifying the scan parameters.
This section provides the big picture, especially for CISOs and other managers: how critical it is to address the uncovered problems, the kinds of issues that need to be addressed, how many vulnerabilities the organization is facing, and its overall risk level. While addressing security vulnerabilities should always be a high priority, the summary can make it clear what kind of danger your systems may be facing and which vulnerabilities to tackle first.
II. Assessment Overview
The introduction gives a brief overview of what was accomplished, such as “A security assessment of Company X’s internal and networks”. Included in this section are:
- Assessment Methodology
- Assessment Tools
- Analysis Verification and Approach
This section summarizes the reconnaissance, validation, and deliverable generation processes followed as part of this assessment, and the types of activities performed to evaluate the security of the target. It describes the custom, commercial, and open-source tools used, as well as the approach to traversing the target functionality and validating results.
III. Results and Mitigation Recommendations
Results and mitigation recommendations are the heart of the report. Each issue is described and reviewed: it explains what the issue is, how the issue was found, the causes of the issue, the importance of the issue, and a recommendation on how to fix the problem. Typically covered as Assessment Findings, this section contains:
- A tabulation of all discovered and validated findings, grouped by severity level
- Detailed descriptions of each discovered vulnerability
- Remediation information for each discovered vulnerability, including additional resources specific to each finding
When you’re ready to put together an action plan to fix the discovered vulnerabilities, the findings section is invaluable, regardless of your knowledge level. This section not only describes the kind of problem that was found, it also pinpoints where it was found – on what system, on what server, or where in an application, and provides snapshots, code, or other images as proof.
While you may not understand the difference between a cross-site scripting issue and a POODLE vulnerability, the results section will let you know where that particular issue was found, why it is a risk, and a high-level instruction on how to mitigate that issue. If you’re unfamiliar with the nitty-gritty of vulnerabilities, the recommendations are the place to start. Although the recommendations don’t tell you in detail how to fix the problem, they do tell you exactly what needs to be fixed.
For example, your recommendation for a particular vulnerability may say “Avoid using less secure versions of Open SSL”. While this might not tell you what is more secure, you do know that you must have your version of Open SSL updated to close the vulnerability, and you will have reference links to additional information.
Understanding How to Address Vulnerabilities
Because the underlying concepts can be quite complex, vulnerability reports are written to be quickly absorbed by both technical and non-technical stakeholders. They are structured in such a way that the important elements of the report are clear and actionable, even to non-technical security professionals.
Every modern company must be concerned with understanding and fixing security risks that can be exploited by attackers. Vulnerability scans and assessments are an important part of discovering, identifying, and fixing security issues across your network, servers, applications, and other targets.
Want more? Read more about...
- pen testing vs vulnerability assessment
- the seven steps of pen testing
- pretty much everything you'd need to know about pen testing
Featured Image: iStock.com/jacoblund