Can One Person Perform an NVA?

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

4 Managing Network Vulnerability Assessment

Can One Person Perform an NVA?

Yes, but it depends on the depth of the NVA. While a good security practitioner

can perform all the technical aspects of an NVA, it is very difﬁcult to ﬁnd one

person who can perform the technical testing and functions such as policy

and procedure review. And if this individual is capable of doing both, the

next question becomes: can he or she perform both functions well? In essence,

it really requires a team to run an NVA, unless it is restricted to a technical-

only NVA or the organization is very small.

Introduction to Vulnerability Assessment

The technical aspects of an NVA are often downplayed or given very little

thought. This component of an NVA is often left to the software to do, and

little or no consideration is given to the operator or the testing methodology.

The most enjoyable part of this component is the tools. Everyone wants to

hear about the tools. No one wants to learn how the tools interact, or how

a good methodology can save hours, if not days, of the time needed to

complete a vulnerability assessment. Everyone wants to hear about the tools.

Do not fret; we will spend plenty of time discussing tools and sites for tools,

and our opinion of each. Before we get there, however, we will spend some

time going over the process and methodology for the technical aspects of

network vulnerability assessment.

Goals of Vulnerability Assessment

There are two major goals of a network vulnerability assessment. The ﬁrst

goal of a technical vulnerability assessment is to test everything possible. It

is often useful to think in “new-age” terms and consider the NVA a holistic

NVA. The reason that it is important to test the entire security domain is

somewhat obvious. An intruder only needs one hole to break into the network;

if that hole lies in the primary ﬁrewall or through a modem connected to an

executive’s desktop computer, it really does not matter. There are some factors

that will limit how deep you can make the NVA. The two factors that most

often get in the way of a complete NVA are time and cost. The time you

spend running your NVA is generally time that you are not spending on your

other job functions, and this can cost your company money or impact your

company in other ways. Also, the cost of the NVA may limit the tools at your

disposal for the testing period. If your organization has a somewhat meager

budget for the technical areas of an NVA, do not worry too much. There are

a number of great tools that are completely free, which will allow you to run

a very respectable NVA without spending a fortune collecting tools. We further

discuss tools in Chapter 6.

The second goal of a technical NVA is to generate a clear, concise report

that will be read and used by your management or your customers. One of

the most common rookie mistakes in running a NVA is to run a NVA tool

Introduction 5

with all the default options, have it generate a default report, and then print

out thousands of pages with every vulnerability inside a client’s domain —

all the way from huge vulnerabilities such as a nonpassword-protected telnet

session on the company’s primary Internet router, down to very small vulner-

abilities such as a workstation responding to a ping. This method delivers a

signiﬁcant number of pages for the customer to read, and a very thick binder

that will look impressive sitting on a shelf of the CSO’s ofﬁce for years to

come. The question lies in the value of this type of vulnerability assessment.

As a consultant, we sometimes get asked to perform this kind of NVA.

Sometimes, the customer just wants someone to come into their network and

run ISS Internet Scanner, and then go home. I try to discourage the customer

from selecting this type of NVA; however, it often proves more difﬁcult to

dissuade the salesperson from selling this type of engagement than to change

the customer’s mind. However, NVAs are an important tool in the defense of

computer systems and networks. Many information-seeking professionals rely

solely on the latest available scanning tools to perform assessments; but

scanners are only one part of a complete vulnerability assessment. Overreliance

on them can leave holes in the assessment, thereby compromising information

security.

In a perfect world the actual goal of an NVA is to produce useful results.

A handy thing to remember is that useful to one type of individual is not

necessarily as useful to other types of people. For example, a CEO is going

to care little about the details of a potential security hole involving malformed

ICMP packets, but this type of information is going to be very useful for the

technician who may be charged with the task of ﬁxing the problem. The CEO

is more likely to be concerned with how the entire security system is doing

compared to evaluation criteria or industry standards.

To help produce useful results, the amount of data given in a ﬁnal report

must be readable by the audience desired for each segment. Typically, an

NVA report will begin with a one-page summary detailing how the security

of the customer is doing in general. This is intended for senior management

types to read. Following this section of the report is the general opinion

section. This section is intended to be for line managers who will want more

level of detail than senior management, but not as much as the company

technicians who will be more interested in the next section.

The next section of the report has the speciﬁc vulnerability ﬁndings from

the assessment. In this area, vulnerabilities are listed by name with a description

of the vulnerability, why this vulnerability is important to ﬁx, the areas of the

enterprise that could be affected by this vulnerability, and ﬁnally the steps

needed to ﬁx the hole from a high level of detail.

After the three aforementioned sections, the next section details what you

did as part of the NVA and what you would have liked to do. The ﬁrst

component describes how you would typically run an NVA and the steps

involved. The second component shows what deviations from your normal

testing policy you followed at the customer’s wishes. This is where you can

get even with the customer who just wanted to have you come in, run a single

tool, and then leave. It also stops would-be vulnerability assessment runners

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Can One Person Perform an NVA?

Create new playlist

Sign In

Sign Up

Table of Contents for
Can One Person Perform an NVA?