Qualys is a cloud-based service that provides vulnerability scanning and management. In this project, we'll leverage Qualys to perform comprehensive scans on a Windows virtual machine. We'll start by installing outdated versions of widely used software, WinRAR and Firefox, to simulate a common security oversight. The project will then progress through cycles of remediation and rescanning to measure the impact of updates and security improvements. We'll use Google Sheets to create pivot tables for a clear view of vulnerabilities, aiding in both remediation and reporting. Finally, we'll document the entire process and findings in a detailed report, providing insights into effective vulnerability management practices.
- VirtualBox: To host the Windows VM.
- Windows 10: The operating system for the VM.
- Qualys: For conducting comprehensive vulnerability scans.
- Google Sheets: For data analysis and visualization using pivot tables.
- OldVersion.com: To source outdated software versions of Firefox and WinRAR.
- National Vulnerability Database (NVD): For referencing detailed vulnerability data.
- MITRE CVE: For accessing Common Vulnerabilities and Exposures information.
To begin, we start by preparing our virtual environment for the vulnerability assessment. We'll establish a network, set up a Windows virtual machine, and install outdated versions of software known for their vulnerabilities.
- Open VirtualBox and go to
File > Tools > Host Network Manager
- Click on the
NAT Networks
tab and Create with the following details:- Name:
NatNetwork
- Ipv4:
10.2.22.0/24
- DHCP:
Enabled
- Name:
- Create a Windows virtual machine in VirtualBox and configure our network settings to use our created Nat Network:
NatNetwork
- Open a browser and Search for
Old Version
- Click on the
OldVersion.com
link and search for Mozilla Firefox and WinRAR - Download and Install both applications
Great! We've now created our Windows VM with outdated versions of Firefox and WinRAR installed. This machine will be used to find vulnerabilities for us to analyze and remediate. Next, we will download and install our Virtual Scanner from Qualys.
This section involves downloading the Qualys Virtual Scanner and configuring it to work with our virtual environment assuming we've already subscribed for the Community Edition of Qualys.
- Access the Qualys platform and in the Getting Started section, click on
Download a virtual scanner
- Start the wizard to configure our scanner
- Choose
VMware ESXi, vCenter Server
as the virtualization platform and provide the nameStreetrackVA
for our scanner - Download the scanner appliance image to the local machine
- Take note of the provided Personalization Code for later use
- In VirtualBox, select
File
>Import Appliance
and navigate to the downloaded scanner image - Follow the prompts to import the scanner appliance
- Once imported, click on
Settings
>Network
and choose:- Attached to:
NAT Network
- Name:
NatNetwork
- Attached to:
This will ensure that the scanner and the Windows VM will be on the same network.
- Start the scanner VM and use the personalization code provided by Qualys to activate and configure the scanner.
- We'll be provided the IP address of our scanner once the personalization process is complete.
- Once the personalization is complete, verify that the scanner appears in our Qualys account with the correct LAN IP:
10.2.22.6
- We'll also perform a connectivity test from the Windows VM to confirm the scanner is reachable.
- In the command prompt, run:
ipconfig ping 10.2.22.6
- Our IP Addresses:
- Windows VM:
10.2.22.5
- Qualys Scanner:
10.2.22.6
- Windows VM:
Awesome! The Qualys Virtual Scanner is now up and running! In the next section, we'll configure our asset for an authenticated scan.
Setting up for an authenticated scan ensures a more thorough assessment by allowing the scanner to log into the system. This allows for deeper vulnerability detection. Lets go over the steps to configure our asset, Windows VM, for an authenticated scan.
- Navigate to the
Assets
tab on the Qualys platform - Click
Add IPs for Scanning
- Click on
New
>IP Tracked Addresses
- Enter the IP range of:
10.2.22.2-10.2.22.20
- Save the configuration to ensure these IPs are included in scans
- On our Windows VM, open the
Windows Defender Firewall
settings. - Disable the firewall for private and public networks to allow for unobstructed scanning.
Disabling Windows Defender Firewall on both private and public networks on the VM to ensure uninterrupted scanning by Qualys.
- Navigate to
Services
and ensure that theRemote Registry
service is set toAutomatic
and clickStart
. - In
User Account Control
settings, adjust toNever Notify
- These will allow Qualys scans to access necessary Windows services.
- Open
Registry Editor
and navigate toComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Right-click and choose
New
>DWORD
- Fill in the following details:
- Value Name:
LocalAccountTokenFilterPolicy
- Value Data:
1
- This will ensure that the scanning tool has the necessary permissions to check for vulnerabilities on the computer by adjusting the security setting in the computer's registry.
- Value Name:
- Navigate back to the Qualys platform and go to the
Scans
tab. - Under the
Authentication
tab, clickNew
then chooseOperating Systems
and selectWindows
- For the
Record Title
, enterWin 10 Credentials
- Select
Local
underWindows Authentication
and fill out the login credentials for the Windows VM:- Username:
Streetrack
- Password:
*********
- Username:
- In the
IPs
section, input the IP address of the Windows VM:10.2.22.5
- With these credentials, Qualys will be able to perform a more thorough authenticated scan on our VM.
The next step is to configure the scanning parameters within Qualys.
- Select the
Option Profiles
tab and selectNew
>Option Profile
from the dropdown - Enter
Basic Win10 Scan
as the title for the option profile and select our username as the owner - Next, navigate to
Scan
section and chooseStandard Scan
to select about 1,900 common TCP ports for scanning. This is a balance between speed and coverage. - Lastly, scroll down and under
Authentication
selectWindows
checkbox. This will enable the scanner to use the provided Windows credentials during the scan.
Let's GO! After configuring these options, we'll save the profile and now, we can use this option profile to perform authenticated scans on our Windows VM, allowing for a more comprehensive vulnerability assessment.
Alright! Now we're ready to run our first authenicated scan! This will provide us with a view of gaps in our security and help us in securing them.
- Step 1: Creating a New Scan
- Navigate to
Scans
>New
>Scan
. The Launch Vulnerability Scan window will appear. - Set the following parameters:
- Title:
Win10 Authenticated Scan
- Option Profile:
Basic Win10 Scan
- Scanner Appliance:
StreetrackVA
- IPv4 Address:
10.2.22.5
- Click on
Launch
once the settings are set.
- Title:
- Navigate to
With our first scan completed, we are ready for the next phase of our security assessment: Analyze and Prioritization. The upcoming stage is necessary to the vulnerability management cycle, as it involves a careful examination of the identified vulnerabilities, ranking them based on their severity, and planning remediation efforts accordingly. By prioritizing effectively, we ensure that we address the most critical weaknesses first, bolstering our security posture where it matters most.
This phase begins with understanding and reviewing the scan's findings, with the aim to prioritize vulnerabilities by their threat level. To enhance our understanding, we'll examine CVEs associated with a critical vulnerability, consulting the MITRE CVE database and the National Vulnerability Database for detailed information. This approach ensures our remediation efforts are directed where they're most needed.
In the realm of vulnerability management, the severity of the vulnerabilities dictates the urgency and priority with which they must be addressed.
Critical and High Vulnerabilities:
- Severity 5 (Critical) and Severity 4 (High) vulnerabilities are the most prominent in the scan results.
- These categories represent the most severe and pressing security issues that need immediate attention due to the high risk they pose.
- We will focus on remedying Severity 5 and 4 vulnerabilities as they are akin to critical and high threats to our network's security.
- Swift action on these vulnerabilities is essential to mitigate the risk of potential breaches or security incidents.
Vulnerability Breakdown:
- Total Reported Vulnerabilities: 442
- Severity 5 Vulnerabilities: 42
- Severity 4 Vulnerabilities: 148
- Severity 3 Vulnerabilities: 58 confirmed, 3 potential
- Severity 2 Vulnerabilities: 16 confirmed, 2 potential
- Severity 1 Vulnerabilities: None reported
- Information Gathered: 173
- It's noteworthy that out of the 442 vulnerabilities, 173 are categorized as 'Information Gathered'. These entries are not actual vulnerabilities but rather informational items that may include best practices, configuration details, or other non-critical findings.
- Security Risk Average:
- The average security risk score of 5.0, a critical-risk posture, underscores the necessity for a thorough review and rapid response plan.
By concentrating on the vulnerabilities with the highest severity first as well as understanding the difference between true vulnerabilities and informational findings, we can efficiently allocate our resources towards enhancing our security posture and reducing the risk landscape.
For the remainder of this project, we will only focus on critical and high severity vulnerabilities
Categorizing vulnerabilities can significantly enhance the effectiveness of targeted remediation, risk assessment, and trend analysis. Let's explore how categorization aids in these aspects of vulnerability management:
-
Targeted Remediation:
- Categories allow us to focus on areas that require specialized attention or expertise. For example, vulnerabilities within the 'Local' category could indicate issues with installed applications, which may require updates or patches.
-
Risk Assessment:
- By understanding the categories, we can prioritize risks based on severity and the nature of the threat. A high number of 'Windows' category vulnerabilities often suggests the need for critical security updates.
-
Trend Analysis:
- Categorization helps in spotting trends such as recurrent types of vulnerabilities. This can inform our security strategy and help prevent similar vulnerabilities in the future.
In our specific case:
-
Local Category:
- With 217 confirmed vulnerabilities under 'Local', this could point to the outdated applications we installed on the system. Firefox being a browser could likely have many variety of web protocols, plugins, and extensions, all of which can act as potential attack surfaces.
-
Windows Category:
- The 42 items in the 'Windows' category likely represent missing security updates. These are crucial as they often patch known vulnerabilities that could be exploited by attackers. We need to ensure that all systems are up-to-date with the latest security patches to maintain a secure environment. For this project, no updates were performed before the scan so these 42 could be due to the Windows security updates.
In conclusion, categorizing vulnerabilities not only streamlines the remediation process but also provides actionable intelligence on security posture and policy development. For our situation, addressing the 'Local' and 'Windows' categories should be prioritized to mitigate the risk of exploitation from outdated applications and unpatched systems.
The "Detailed Results" section offers a list of individual vulnerabilities. Numerous critical severity level 5 vulnerabilties cover the screen:
-
Critical Windows Security Updates:
- These entries suggest missing patches for known Windows vulnerabilities, which are crucial to address promptly to maintain system security.
-
Firefox Vulnerabilities:
- Outdated versions of Firefox have multiple security gaps, emphasizing the need for regular updates to web browsers, which are common targets for exploitation due to their extensive internet interaction.
In essence, this portion underscores the urgency of applying security patches to both operating systems and applications to mitigate the risk of potential cyber attacks.
Here, we'll select a critical vulnerability to investigate further. Lets take a look at one thats related to Mozilla Firefox, a critical remote code execution issue. A remote code execution vulnerability allows an attacker to run code on a victim's system.
-
CVE ID:
- The associated CVE (Common Vulnerabilities and Exposures) ID is CVE-2016-9079, which serves as a unique identifier for this specific security flaw.
-
Impact on Systems:
- The vulnerability's impact is significant as it could allow remote attackers to execute code on the user’s system, potentially leading to data theft, unauthorized access, or other malicious activities.
-
Solution:
- The report includes links for patches, underscoring the availability of fixes that should be applied to mitigate the risk.
-
Exploitability:
- We see mulitple entries for exploitability meaning attackers are actively exploiting this vulnerability. This increases the urgency to patch affected systems.
- Associated Malware:
- Upon scrolling down, we see the presence of known malware associated with this vulnerability which confirms its criticality and active exploitation in the wild.
- Further Investigation:
- Following the CVE link leads to the MITRE CVE page, which details that the vulnerability relates to the SVG Animation feature in Firefox and affects Tor Browser users in Windows as well.
- The NIST National Vulnerability Database (NVD) link provides additional insights, including the CVSS score.
- Click on
Learn more at National Vulnerability Database (NVD)
- CVSS Score Explanation:
- The CVSS (Common Vulnerability Scoring System) score quantifies the severity of vulnerabilities; a score of 7.5 is categorized as High, indicating a severe level of risk.
Considering the critical severity, high CVSS score, known exploitability, and associated malware, this vulnerability is a high-priority issue that must be addressed immediately to protect systems from potential compromise.
In the landscape of risk remediation, the chosen strategy often depends on the necessity and function of the associated applications. If an application is not essential to daily operations and it poses significant security vulnerabilities, opting for risk avoidance by uninstalling the application may be the most secure approach. This method effectively removes the threat from the environment, enhancing overall security without the need for ongoing management that comes with risk reduction strategies. By choosing risk avoidance in such scenarios, we can maintain a stronger security posture and eliminate unnecessary vulnerabilities from our system.
- Step 1: Remediation: Uninstalling Outdated Applications:
- We identified Mozilla Firefox and WinRAR as outdated versions with multiple vulnerabilities. To mitigate the risk, we choose to uninstall the applications from our system.
With the outdated applications removed, we then prepare for a second vulnerability scan to verify the effectiveness of our remediation actions.
- Step 2: Performing Second Scan:
- Set up the scan with the title
Win10 Authenticated Scan 2
- Configure the same basic Windows 10 scan option profile as well as scanner appliance and target IP
- Launch the Scan and when finished, click
View Results
- Set up the scan with the title
-
Step 3: Review Second Scan Results:
The second scan results indicate a significant reduction in the number of vulnerabilities compared to the first scan. Here are some bullet points that outline the key changes:
-
Total Vulnerabilities Reduced:
- The total number of vulnerabilities decreased from 427 to 226, showing a substantial improvement in security posture.
-
Critical and High-severity Vulnerabilities Decreased:
- Severity 5 vulnerabilities dropped from 42 to 8.
- Severity 4 vulnerabilities saw a reduction from 148 to 23.
-
'Local' Category Improvement:
- The 'Local' category, which initially had 217 confirmed vulnerabilities, no longer appears among the top categories, suggesting that local issues were effectively remediated.
-
'Windows' and 'Security Policy' Categories:
- There remains a significant number of 'Windows' category vulnerabilities, likely related to outstanding security updates. The 'Security Policy' category also still shows vulnerabilities, indicating a need for further policy adjustments.
-
Information Gathered:
- The 'Information Gathered' category showed a decrease in entries, from 173 to 109, which may include lower-risk findings but still signifies a more secure and compliant environment.
-
These changes underscore the effectiveness of the remediation actions taken, such as uninstalling outdated applications like Firefox, and demonstrate the value of conducting follow-up scans as part of a comprehensive vulnerability management process.
- Step 4: Reflect on Remaining Vulnerabilities:
- The detailed results of the second scan highlighted the remaining issues that still require attention.
These steps confirmed that uninstalling the outdated application was an effective measure in reducing our exposure to potential threats. The second scan's outcomes dictate our next actions in the continuous process of vulnerability management.
Continuing with the vulnerability management cycle, we'll analyze the remaining vulnerabilities from our second scan. We can identify critical Windows security updates along with high-severity Microsoft application vulnerabilities. Another round of remediation will commence to further harden our system.
- Step 1: Update Windows
- From the scan results we can see the remaining critical alerts are related to Windows Security Update. We will now update the system.
- Navigate to
Windows Update
and clickDownload
- After updates finish downloading and installing, followed by restarts. we can confirm that our system is up to date.
- Navigate to
- From the scan results we can see the remaining critical alerts are related to Windows Security Update. We will now update the system.
- Step 2: Investigate Microsoft High Vulnerabilities
- Here we focus on 2 Remote Code Execution (RCE) vulnerabilities in the 3D Viewer application and Windows Codecs Library.
- Consulting the associated CVE links revealed that updates and patches could be obtained through the Microsoft Store.
- Step 3: Remediate Microsoft High Vulnerabilities
- To remediate these vulnerabilities, we'll do the following:
- Navigate to the Microsoft Store within our Windows environment
- Identify and apply the necessary updates for the 3D Viewer and HEIF Image Extensions as per CVE instructions
- To remediate these vulnerabilities, we'll do the following:
These actions are crucial to maintaining a secure environment and will be verified in our third scan.
We continue with our vulnerability management cycle by initiating the third scan.
- Step 1: Perform Third Scan
- Navigate to the Qualys platform and choose
Scans
>New
>Scan
- Provide the scan details:
- Title:
Win10 Authenticated Scan 3
- Option Profile:
Basic Win10 Scan
- Scanner Appliance:
StreetrackVA
- IPv4 Address:
10.2.22.5
- Click on
Launch
once the settings are set. Once finshed click onView Results
- Title:
- Navigate to the Qualys platform and choose
The objective is to evaluate the current security posture of the system following the updates and remediation actions that have been taken.
- Step 1: Reviewing the Third Scan
- Upon reviewing the results of the third scan, we are observing a further reduction in vulnerabilities.
- There are no critical alerts, and only a few high-severity issues remain.
- This improvement highlights the effectiveness of our remediation approach, which includes updating services through the Microsoft Store and applying the latest security updates to Windows.
This trend of diminishing vulnerabilities affirms our proactive approach and the measures we implement to secure our environment. By focusing on the Vulnerability Management Cycle, we can continue to resolve vulnerabilities aiming to reduce the attack surface further and strengthen our security defenses.
-
In the realm of vulnerability management, pivot tables serve as a potent analytical tool, streamlining the organization and interpretation of extensive vulnerability data. They enhance trend reporting by enabling security teams to visualize changes over time, identify remediation progress, and prioritize threats based on severity.
-
Pivot tables also facilitate efficient communication and task delegation across different departments, ensuring that everyone involved in the remediation process is aligned and informed about the vulnerabilities.
-
In this section, we'll go over downloading the results from the three comprehensive security scans and creating pivot tables in Google Sheets. These pivot tables will be used to go along with our report in the next section.
- Step 1: Download Reports
- Navigate to the Qualys platform
- Under the
Scans
tab, choose each authenticated scan and click download - For download format, choose
Comma-separated value (CSV)
- Step 1: Download Reports
- Step 2: Import and Initial Setup
- Open Google Sheets and import the downloaded scan results.
- Highlight the metadata section of the header and delete them. We won't be needing them for our pivot tables
- Select the entire first row which is our 'key' row and click on the
Create a Filter Icon
. Now we can filter using these values. - Select everything and right-click to choose
Resize rows
> size21
which is the default. This isn't for the pivot tables but it does give us a better view of the data.
- Step 3: Create Pivot Table
- Select everything and navigate to
Insert
>Pivot Table
- Choose
New Sheet
and clickCreate
- Select everything and navigate to
-
Step 4: Edit Pivot Table
- Lets create a table with the vulnerability name and filter to only see severity level 4 and 5.
- To begin, we can see our blank table on the left and on the right is our Pivot Table Editor
- Notice the four categories:
- Rows
- Columns
- Values
- Filters
- Notice the four categories:
- On the far right section, there are the different key filters we created earlier. We'll click and drag these over to the four categories to edit our pivot table:
- Click and drag
Title
to theRows
section - Click and drag
Severity
to theColumns
section and rename it toSeverity
- Click and drag
Severity
to theFilters
section - In the drop down menu of the
Filters
section, choose to show severity4
and5
- Under the
Rows
section, selectSort by
and chooseSeverity
- Click and drag
- Now let's rename this table as
Vulnerability Title
-
We should now have a table of the vulnerability titles with severity levels 4 and 5.
-
Step 5: Category Pivot Table
- Now we'll create another pivot table to show the amount of vulnerabilities by their categories.
- First, lets right-click on the previous table and choose
Duplicate
- We can see a duplicate table has been created
- Rename this table
Vulnerability Category
- Now remove all filters except for the last one which is
Severity
in theFilters
section. we want to continue to show only severity levels 4 and 5 - Click and drag
Category
to theRows
section - Click and drag
Resuls
to theValues
section and summarize by COUNTA
-
Once finished we can see the number of vulnerabilities in each category with severity levels of high(4) and critical(5). This can really help us by enabling quick identification of areas with the highest security risks and prioritization for remediation efforts.
-
Step 6: IP Pivot Table
- Lets create one more pivot table. This time we'll create one focused on the IP and the number of vulnerabilities with severity levels 4 and 5
- Right-click the previous table and select
Duplicate
- Rename this table
IP Critical/High
- Remove all filters except for the last one
Severity
in theFilters
section - Click and drag
IP
to theRows
section - Click and drag
Severity
to theColumns
section - Click and drag
Results
to theValues
section - Rename
Results
toVulnerability Severity by IP
-
Great! We now have a table showing our IP and the amount of vulnerabilities with severity levels 4 and 5. This can help us pinpoint critical risk areas for specific IPs.
For each of the three scans, we'll construct these tables and utilize them in the subsequent section to develop a trend report that offers enhanced clarity on our findings.
Awesome! In this section, we've taken a deep dive into the creation of pivot tables, a critical step that enhances our understanding of vulnerability trends over time. Not only do these tables provide a clear visual representation of data for more insightful trend reporting, but they also offer additional benefits such as simplifying complex data sets, enabling quick identification of key risk areas, and facilitating effective communication across teams. This allows for a more targeted and efficient approach to managing and remediating vulnerabilities in our systems.
-
In this section, we'll be using the data from our pivot tables to compile a report illustrating the effectiveness of the vulnerability management process throughout the project.
-
We'll use the following guideline to craft our report:
- Header:
- Title
- Reported By
- Date
- Executive Summary
- Background
- Scan Summary:
- Initial Scan
- Second Scan
- Third Scan
- Trend Analysis
- Key Findings
- Conclusion
- Header:
Our Final Report
Vulnerability Management Analysis Report
Report Prepared By: Thong Huynh
Date: 12/23/2023
Executive Summary
This report presents the findings and progress from a series of vulnerability scans conducted in a controlled virtual environment using Qualys. The aim was to emulate the vulnerability management cycle, starting from initial scanning to remediation and re-scanning, across three phases. We also focused on illustrating the effectiveness of this process through pivot table analysis and trend reporting.
Background
The virtual environment was intentionally configured with outdated applications to simulate real-world vulnerabilities. Our approach was to continuously scan, analyze, remediate, and then re-scan to closely follow the typical vulnerability management lifecycle.
Scan Summary
- Initial Scan: A substantial count of vulnerabilities were uncovered, with a concentration of critical and high-severity issues mainly in the 'Windows' and 'Local' categories.
- Second Scan (Post-Initial Remediation): Efforts resulted in a noticeable decrease in overall vulnerabilities, especially critical ones, indicating successful remediation of several high-priority issues.
- Third Scan (Post-Secondary Remediation): Consecutive remediation further decreased vulnerabilities, with no critical vulnerabilities remaining and a few high-severity ones.
Trend Analysis
- The analysis, based on pivot table data, indicated a positive downward trend in the number and severity of vulnerabilities. This suggests that the remediation measures taken were effective in mitigating identified vulnerabilities.
Key Findings
- The majority of critical vulnerabilities were successfully remediated after the first round of scans.
- Persistent vulnerabilities, primarily of high severity, require ongoing attention.
- Updates and patches significantly reduced the 'Windows' category vulnerabilities
Recommendations
- Continue monitoring for residual high-severity vulnerabilities and prioritize their remediation.
- Implement a regular patch management schedule to prevent new vulnerabilities.
- Conduct periodic vulnerability scans to maintain a robust security posture.
Conclusion
The structured approach showcased the effectiveness of a thorough and iterative vulnerability management process. The crafted pivot tables proved invaluable in tracking and reporting on the progress of our remediation efforts, underscoring the importance of such tools in a SOC analyst's repertoire.
End of Report
LETS GO!!! In this project, We navigated the full spectrum of the vulnerability management cycle in a simulated corporate setting. The hands-on experience underscored the balance between theoretical knowledge and its practical application.
Pivotal to the project's success was the use of pivot tables, which converted complex data into clear visuals that informed our remediation strategies and potentially facilitated effective communication with stakeholders.
Compiling the trend report brought to light the improvement in the security posture through each phase, validating the robustness of proactive vulnerability management.
Reflecting on this journey, I've gained a deeper appreciation for the relentless nature of cybersecurity and the necessity of continuous adaptation and learning. This project has not only honed my technical prowess but also reinforced my dedication to the ongoing endeavor of cyber defense.