Conventions Used in This Book
Notes provide additional information about a topic.
Tips provide information that can make a task
easier or ease an administrative
Cautions are items you need to be aware of that
may pose a problem or need to be
1. Introduction to Assessing Network Vulnerabilities
This chapter introduces some basic security
concepts, such as what security really is. It also starts the
discussion of risk assessment as a process.
around us, and good Information Technology (IT) governance requires
us to assess its potential dangers. Finally, this chapter will
provide an overview of the network vulnerability assessment.
Understanding how the network vulnerability assessment fits into
the overall security program will help as we go through the entire
What Security Is and Isn't
Computer security is unlike other forms of
security. Products such as locks, safes, and
Misconfiguration, improper installation, and poor management are other causes of poor security. I have seen IT workers and managers involved in poor practices. I'll never forget the time a government agency showed me a firewall that was supposed to be protecting the internal network. The problem was that it wasn't even hooked to the network. It was configured in loop back mode. Security is not the administration.
Policies are another item pointed to when
someone speaks of security. Many organizations don't have a
By now, you may be wondering what I think security is. Security is a process. Yes, security requires technology, people, and policies; however, that is not enough. Security is a process that requires input from the entire organization to be effective. It involves work on a proactive basis, such as patching vulnerable systems and monitoring audit files and IDS systems' activity logs. Security also requires support from senior management; it includes risk analysis, good implementation, employee training, patch management, and periodic vulnerability assessments. Figure 1.1 outlines the flow of this process.
Figure 1.1. The risk assessment process.