This Blog is intended for people who have done an external Penetration Test or Vulnerability Scan and found vulnerabilities on some of your open ports. This is just a quick step through of where the vulnerabilities come from and how to potentially remediate / risk accept different scenarios.
So for reference we have a couple of our other blogs which may be of interest:
Understand a bit more about CVE Vulnerabilities and Mitre in general.
Existing article on “What to do if you have ports open” which is the precursor to having vulnerabilities.
Below is step through where CVE’s come from and how you should deal with these vulnerabilities.
Effectively after your IP Addresses have been found to have “Ports Open”, probing will then happen to see if it can be discovered what is running behind the ports (i.e what particular piece of software or service that is terminating the open port in general). This process is called “Fingerprinting” and once this “Fingerprinting” process has been complete then these results are run against the global CVE databases to work out if there is any known vulnerabilities.
It is as simple as that really, effectively a process will be run to try and “infer” what software is running over that particular Port. Something like this will be returned; “Application Name”, “Vendor Name” and “Version number”. This will then literally be looked up as a search query against the global vulnerability database to see if that particular piece of software has any known vulnerabilities logged against it. Simples (this is actually half of Cyber Security).
We go into a bit more detail around CVEs in our “RoboShadow AI CVE early warning system blog”, however in short the CVE database is looked after by a government organisation called “Mitre” in the USA who collect input from all of the different cyber agencies all over the world.
Effectively this is the main golden source of global vulnerabilities and this “Mitre CVE” data base has been going since the early 2000s. Effectively CVE is main fundamental part to all the major Cyber Security platforms, Nessus, Amazon Inspector, Azure Security Centre to name a few and will all have the CVE lookup as a core part of their offering.
This is the most common outcome of resolving a CVE vulnerability as this will mean that the CVE can just be patched in the latest software update from the Vendor. In fact a lot of the Software Vendors would of already of released the patch to the issue at the time they disclose the vulnerability to Mitre themselves.
So this is a bit more tricky if there is a known vulnerability on some infrastructure you own but it can’t be patched for some reason.
Usually the reason for something like this is that the particular infrastructure cant be upgraded in the conventional sense due to the fact that either the infrastructure has no known patch to fix the CVE or simply you can’t upgrade the infrastructure through fear of breaking the software running therein. If this is the case then there are some things you can do:
There is also a technique whereby you can disguise a device from being fingerprinted, which doesn’t actually solve the problem but will give you some “Security by Obscurity”. Its fairly easy to go into config of vulnerable tech and stop the banners and http headers which allow your tech to be fingerprinted by the worlds scanning tools. A quick google on most platforms should find a way of disguising vulnerable tech to the world.
Its always worth noting in Cyber Governance processes, you are always aiming for the next budget round. So as long as you have the current vulnerable platform ear marked for future upgrade (and therefore future resolution of that particular vulnerability planned) then this is widely accepted due to the fact there is a remediation plan in place. What is not usually excusable is being ignorant about the issues in the first place.
In general people excited about the need for a full “Human” led penetration test, however we think the core fundamental part of any good security exercise is to at least nail down the basics and ensure that your environment has no vulnerabilities that can be externally exploited.
So this can be on external IP addresses facing raw internet, or it could be CVE vulnerabilities on desktop machines which can allow remote access trojans to execute compromising your teams devices. Either way reconciling your whole environment against the global CVE databases should be your first point of call in Cyber Defence.
You have to remember that your external IP Addresses probably exist in the Shodan database and therefore as soon as you have some tech online,(which becomes vulnerable) then there is a good chance the bad guys will get to you “Programmatically” by using an API within the Shodan platform.
At the same time many of the phishing exercises sent out are trying to get remote access code to run on your machines. We think we are safe with MFA to protect against “Phishing” my credentials but we often forget that vulnerable desktops can allow Hackers remote access if you click on the wrong link and have vulnerabilities in your devices waiting to be exploited.
As always feel free to contact us if you have any questions.