Why are vulnerability audits important?
For every unchecked firewall, switch and router in an organization’s protect surface there could be an unknown security gap which impacts the entire network. Without carrying out an audit of all the networking devices to check the configuration of each device, there is no visibility of where vulnerabilities caused by misconfigurations are within the network. That means that the impact of any threats to the network, and therefore, the risk to the security of the network cannot be accurately assessed. Without this vital information, it is impossible to effectively prioritize remediation efforts, which may leave the network exposed due to critical security risks; compromising the organization’s data, applications and ultimately, it’s reputation.
To mitigate against this, regular audits of every network device are required. There are several different methods of carrying out a vulnerability audit including:
This is where an assessment of a device is carried out by probing the interface. Part of the scan will include looking up firmware against Common Vulnerabilities and Exposures (CVE). This type of scan doesn’t include an assessment of device configuration.
This is a build review assessment which includes a line-by-line analysis of configuration instructions. It is the least intrusive and most accurate method of determining system security and compliance status. There are two types:
- Grep tools. These find and match text string, but often return false positives and false negatives.
- Tools that virtually model the device configuration (such as Nipper). This provides high levels of granular auditing accuracy.
Part of these audits will include checking the devices against the CVE databases.
NVD and CVE Databases in vulnerability management - what they are and why they are used
The Common Vulnerabilities and Exposures (CVE) list is, as the name suggests, a list of common vulnerabilities. When a vulnerability is discovered, it is added to the CVE list (although this might not be publicized immediately to give the vendor time to repair the vulnerability). The list can be accessed by anyone who wishes to see the vulnerabilities that exist on a particular device. It does not go into any detail on remediation. It does provide a link to the NVD, which contains more detail.
The National Vulnerability Database (NVD) is a U.S. government repository of standards-based vulnerability management data. Basically, it is a database of reported vulnerabilities in both commercial and open-source components. The NVD performs analysis on CVEs that have been published to the CVE Dictionary.
CVE Example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34771
NVD Example of same vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2021-34771
How Nipper discovers vulnerabilities
We mentioned earlier about the different methods of carrying out a vulnerability audit. Titania’s Nipper software automates the auditing of firewalls, switches and routers to detect vulnerabilities and misconfigurations with unrivalled levels of accuracy. Nipper does this by virtually modelling the entire configuration of the device it is auditing as a single entity. This means that when it performs the line-by-line configuration analysis, it can consider interdependencies across the network and suppress irrelevant findings. It then produces a report which details all the findings, including risk prioritization and remediation advice.
What Nipper audits against
Nipper is designed to create a precise in-memory model of the actual configuration of the device it is assessing. It then compares this model to a secure configuration as specified by the manufacturer and security best practice, taking into account all the specified rules for the network. This pinpoints exactly where the actual configuration differs to the secure configuration – and what must be done to secure the device, and improve the security posture of the network. Each vulnerability is detailed with Nipper’s trusted security risk classification that rates it’s severity, a CVSSv3 score, advisory references and third-party references.
These findings can also be viewed through the user’s chosen risk management framework lens to demonstrate, for example, whether the configuration is compliant with any CMMC or NIST 800-171 security practices that apply to the device.
What Nipper's risk scoring gives users a remediation advantage
Nipper’s approach to vulnerability auditing not only results in significantly fewer false-positive findings than other tools, it also provides proprietary network-centric risk scoring. Whilst competitor products rely on a CVSS score to categorize the risks they find – Nipper automates 25 years of pentest expertise to provide a network risk context for any issues it finds. Competitor products use the Common Vulnerability Scoring System (CVSS) severity rather than risk scoring, but Nipper also takes into account other security-related criteria that represent risk to the network, not just to the device, including:
- The impact of an exploitation of the misconfiguration
- How easy it is to exploit i.e. to assess risk likelihood
- The time it will take to remediate
All of this information is provided in Nipper’s report, and the findings are automatically prioritized by the vulnerability’s criticality to the network. The report also comes complete with recommended remediation advice to mitigate the risk, and for some Cisco devices, includes the command line syntax instructions to fix any misconfigurations that have been detected. This information is proven to significantly reduce the mean time to remediate configuration vulnerabilities.
For a closer look at Nipper’s vulnerability auditing and prioritized risk and remediation report, book a demo of Nipper today.