How to Conduct a Vulnerability Assessment
View PDF | Print View
by: Guest
Total views: 15
Word Count: 520
A vulnerability assessment is used to quantify a system\'s risk posture based on the system\'s IT exposure. The risk is defined as a function of threats, vulnerabilities, and asset value. An example of a threat is a disgruntled employee attempting to gain unauthorized access to the system.
sex toys | vibrators | mini vibes vibrators
A vulnerability assessment is used to quantify a system's risk posture based on the system's IT exposure. The risk is defined as a function of threats, vulnerabilities, and asset value. An example of a threat is a disgruntled employee attempting to gain unauthorized access to the system. An example of a vulnerability is a system that does not require authentication for system access via the Internet. Assets with high value could be defined as systems with sensitive information, such as social security numbers.
The main steps in conducting a vulnerability assessment are gathering the requirements, defining the scope, identifying roles and responsibilities, developing the test plan, executing the testing, and documenting the results.
The first step is gathering the requirements. A Statement of Work is an agreement between the two parties that defines the work involved, the scope of work, the parties involved, and the time and dates of execution. The vulnerability assessment team reviews the Statement of Work and gathers additional requirements from the client. Additional requirements could include details such as specifying the types of testing that are not in the scope (e.g. Denial of Service) or defining reporting requirements.
Defining the scope is the next step. The client will provide a systems inventory and locations of sites that will be tested during the vulnerability assessment. Additionally the client will clarify which system components will be tested (e.g. databases, web applications). The type of vulnerability assessment scan tools will also be defined. This can include tools such as Nessus and STAT.
The roles and responsibilities are also defined. This includes roles such as who is going to execute the vulnerability scans, who is going to monitor the testing, and who to notify if there are denial of service conditions detected. The stakeholders' contact information is exchanged so that communication can be facilitated during the testing.
The test plan defines the testing in more granular form. The test plan specifies what configurations are used on the vulnerability scanners, what IP addresses are scanned, how the testing is conducted, and procedures for halting the testing.
Executing the testing includes setting up at the testing sites, plugging into the network, and executing the vulnerability scans. The vulnerability scans can produce hundreds of pages of data.
Documenting the results is the final stage. The vulnerability report that was generated by the vulnerability assessment tool is reviewed by the assessment team for false positives. This phase is done with the system administrators who help the assessment team gather the necessary information for identifying false positives. For example, a vulnerability scanner may identify Linux vulnerabilities on a Windows system. This could be identified as a false positive. The final results are compiled into a report. The report contains an executive summary of the major vulnerabilities that are found, risk levels associated with the vulnerabilities, and mitigation recommendations.
About the Author
Rating: Not yet rated