Interview: Information Security Expert Explains Vulnerability Analysis
A conversation with Certified Ethical Hacker Sophia Green
Ethical hackers regularly conduct vulnerability analyses. Can you explain the process you use?
The process that I use is pretty short. The first thing I would do is to establish a baseline: speaking with the team regarding their expectations for timeline, the scope, and what exactly is to be analyzed.
The next step would be implementing the vulnerability assessment, where I would scan servers, web applications, and anything the organization or the team would want to assess. And after its completion, I would go into the risk assessment, where we would categorize the different vulnerabilities and the findings and create a strategic plan on how to mitigate and complete or address the assessment findings.
Then we would go into remediation to address any of those vulnerabilities, whether patching or updating the software version. Upon the completion of the remediation, we would go into verification, where we would validate and verify that all practices in place are working. And once we complete it, I would go into monitoring, whether firewalls, intrusion prevention systems, intrusion detection systems, or any CM [configuration management] tool.
So, for me, that would be the thought process behind my vulnerability analysis.
What did you learn about vulnerability analysis in the C|EH course?
The C|EH course gave me insight into how hackers think and the different malicious attack vectors they use against organizations or people. It allowed me to learn those skills and methods to better position myself and the organization I work for. It helped me to provide a secure structure and to be able to give insight on how to strengthen our infrastructure.
The C|EH course gave me insight into how hackers think and the different malicious attack vectors they use against organizations or people.
How essential is it for organizations to regularly identify and analyze vulnerabilities? What are the benefits of doing so?
Especially in these times, with a lot of ransomware attacks happening right now—a lot of the different types of attacks that we’ve seen against companies—it’s essential. That is, a baseline that companies providing or ecommerce companies who do business over the internet should have, because it’s detrimental to the organization and to the customers and clients in their database.
To be able to get an understanding of the company, where you stand security-wise as far as your network goes, and to be able to be in tune with everything that is going on in the world—all the different potential attack vectors and methods—and to be able to take that knowledge in and to be able to apply it in a way where you’re able to provide a defense for your company, [that] would save you a lot of money. And that could be a lot of money, whether that’s avoiding ransomware attacks, or that could also be along the lines of not being sued for having data breaches.
The benefits would be to know as an organization where you stand [and if] you have placed yourself and your organization in the strongest position possible. I believe that knowledge is essential. Knowing where your company is, how they’re structured network-wise, and knowing that you have those tools to prevent or mitigate as many potential vulnerabilities as possible and attacks as possible.
It just gives you peace of mind to know that I have the tools and techniques required to protect my company’s data, intellectual property, and clients. And when clients see that, it makes them feel more comfortable, and it makes them want to continue to do more business with you.
In your professional opinion, how should ethical hackers balance automated and manual vulnerability analysis methods?
I think when it comes to IT, especially hacking, altogether there are a lot of different things on the back end. Automate things, whether that is log files, whether that is just monitoring and scanning—things that do not require immediate action should be automated.
So, even for my section, we utilize a software called Tripwire, where it just automatically scans our network to ensure that there is nothing malicious happening. I think placing automation into your infrastructure is very beneficial. But I also believe that there are things that require our direct attention.
Placing automation into your infrastructure is very beneficial, but there are also things that require our direct attention.
Say, for instance, we set up automation to scan a network and receive an alert. Once that alert is received, we can manually go in and investigate what’s happening. And if it’s something that requires remediation, remediate it. If it’s not, then we could go ahead and move forward.
So, I think having that balance between automating the things that don’t necessarily require us to have direct eyes on [them] and then actually being notified of things that we do need to address will make things a lot more efficient and allow us to be able to spend time on the things that are most important within the network.
How do you deal with false positives in the vulnerability analysis process?
Typically, if we receive a false positive, we investigate from the moment we receive the notification. If it’s something that I can do individually, I go ahead, investigate, and remediate it.
If it’s something that will require other people from different teams, then I will notify them, and either we will come together in a huddle, or we suggest to them what needs to be done to each so that we can mitigate it.
A false positive is not necessarily bad, but it does have the potential to be one. So, to investigate and work from there is my best approach.
What tools or resources do you use regularly for vulnerability analysis?
Currently, I’m in a new position where we are using Nessus or Tenable. I work a lot with Tripwire. Those are the two tools we use, along with others, such as Divi Cloud.
Those are the two main things we utilize to receive notifications for vulnerabilities and gather all that data in one area so that we’re able to classify it, categorize and mitigate any potential vulnerabilities, and complete any unnecessary things we would need to remove those risks and vulnerabilities.
Is your IT team equipped to handle vulnerability analysis?Learn about vulnerability analysis and the rest of the ethical hacking process with the C|EH, the world’s leading ethical hacking certification. Contact EC-Council to register today.
Build a Rewarding Career with the C|EH
Fast-Growing Job Market
1,800+ ethical hacking job openings on LinkedIn alone1
C|EHs in the U.S. earn over $82,000 per year on average2
Wide Range of Opportunities
Prepare for 20+ cybersecurity job roles with the C|EH
1 https://www.linkedin.com/jobs/search/?geoId=92000000&keywords=ethical%20hacker&location=Worldwide 2.https://www.payscale.com/research/US/Job=Certified_Ethical_Hacker_(CEH)/Salary
Views expressed in this interview are personal. The interview has been produced with the aid of a transcription service and may contain dictation, typographical, technical, and/or other errors. The facts, opinions, and language in the interview may not reflect the views of EC-Council or the interviewee’s employer, and EC-Council does not assume any responsibility or liability for the same.