286 Managing Network Vulnerability Assessment
network operating systems, 175–177
nontechnical management, 170–171
systems, 177
technical management and network
practices, 171–175
body of NVA report, 160–161
analysis, 160
conclusions, 160–161
final comments, 161
glossary, 161
key safeguards for providing
information security, 160
methodology overview, 160
security profile, 160
summary table of risk, vulnerabilities,
and recommendations, 161
executive summary, 159
final comments, 182
glossary, 184
key safeguards, 178–180
access control, 179
auditing, 179
authentication, 178
firewalls, 180
nonrepudiation, 178
secure messaging, 179
methodology overview, 164–165
introduction, 164
methodology, 164–165
recommendations to mitigate risks, 181
sample executive summary, 162–163
introduction, 162
methodology, 162
recommendations, 163
results and conclusions, 162–163
security profile, 166–170
background information, 166
computer operations and
telecommunications areas, 169
hands-on investigation reports, 168
interview reports, 167–168
list of company documentation, 166
network access and practices, 168–169
system and network configurations,
169–170
summary table of risk, vulnerabilities, and
recommendations, 183
table of contents, 159
NetWorld Scanner, 139, 140
NFS, see Network file systems
NI, see Network Inspector
Nimda, 37, 93
NIST
special publications, 267–269
Web site, 84
Nmap
for Linux, 127, 129
for NT, 128, 129
for Windows, 128
Node authentication, 54, 85
Noncompliance, 83
Nondisclosure agreements, 166
Nonrepudiation, 178
Novell NetWare, 175, 248
NT systems, access control on, 179
Null sessions, 248
NVA, see Network vulnerability assessment
NVA report, sample, 223–265, see also Network
vulnerability assessment sample
report
exceptions to vulnerability assessment test
protocol, 254
executive summary, 226–227
finding rating levels, 230
findings, 231–250
access control methodologies, 236–238
applications and systems security,
244–250
physical and operational security,
239–241
security architecture, 234–236
security management, 231–234
telecommunications and network
security, 241–244
general opinion, 227–230
critical vulnerabilities, 228
identification and authentication,
228–229
intrusion detection, 229
personnel, 227–228
policies and procedures, 228
reference model, 257–265
CLIENT trust model, 258
figures and diagrams, 262–263
glossary, 271–279
list of test performed, 258–261
standard information protection model,
257
summary information, 261–262
supplementary information, 263–265
standards applied, 254–257
common criteria, 254
common methodology, 254–256
functional areas of vulnerability, 256
ISO 177799, 256–257
table of contents, 224–226
version history information, 224
vulnerability assessment report, 223
vulnerability assessment team members,
224