Chapter 13: A Winning Methodology for Vulnerability Assessments

Overview

I was sitting around with my neighbor one day and I mentioned how I was helping write a book on computer security and jokingly asked if she had any tips I could use. Keep in mind she is not in the IT industry, so I expected the response to quite simply be "no." Her response at first shocked me, but when analyzed , really made sense: "I don't have problems, I don't own one." First, I thought everyone had a computer today and second, I thought, what kind of answer is that? The more I thought, the more it made sensea truly secure computer is no computer at all.

The Information Age has created an explosion of online data sources. The Internet is filled with web sites containing information ranging from "Mom's Secret Chocolate Chip Cookie Recipe" to financials for large enterprises . No matter what data are available, one thing is for certain: additional data are stored within organizations that are not intended to be publicly accessible. Attackers target publicly available resources as well as the private data sources every day for a variety of reasons. Some attack for bragging rights, while others have more devious and even criminal motives such as theft, fraud, extortion, and more. Organizations must work to protect both their internal data storage as well as data publicly available with the same vigor as they protect physical property. One critical aspect of securing online data is assessing or verifying your organization's security posture .

In this chapter, we will discuss aspects of vulnerability assessments and demonstrate a winning methodology for analyzing your organization's IT infrastructure perimeter. This chapter will include

  • Security vs. Functionality (A Business Justification) How application or data security and functionality affect each other. Additionally, business justifications for why security is important and why periodically verifying that security is equally important.

  • Methodology A winning vulnerability assessment methodology including standards and conventions, reconnaissance (information gathering), target qualification, profiling, and so on.

  • Assessment Logistics How often assessments should be performed and who should perform them (internal vs. outsourced assessments).

The focus of this chapter is to provide the conceptual theory behind successful vulnerability assessments. While this chapter provides details on how to conduct a successful vulnerability assessment designed to surface as many vulnerabilities as possible, it is not written to provide a step-by-step process to conducting assessments. But never fear, Chapters 14 and 15 provide details on how to conduct each of the steps involved in the assessments. These chapters also explain the important "must knows " of assessments, providing you with tips and secrets that even many security firms do not cover. To ensure you thoroughly understand the methodologies and processes used, Chapters 14 and 15 take you step by step through a mock vulnerability assessment providing explanations along the way.



Extreme Exploits. Advanced Defenses Against Hardcore Hacks
Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)
ISBN: 0072259558
EAN: 2147483647
Year: 2005
Pages: 120

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net