The following acronyms and terms are used in this chapter. For the explanation and definition purpose of this chapter, these acronyms and terms are defined as follows:
Access creep
The result of employees moving from one position to another within an organization without losing the privileges of the old position but gaining the additional access of the new position. Thus, over time, the employee builds up much more access than he or she should have.
ACL
A table or list stored by a router to control access to and from a network by helping the device determine whether to forward or drop packets that are entering or exiting it.
Base64
A coding process that is used to encode data in some email applications. Because it is not true encryption, it is easily cracked.
DMZ
The middle ground between a trusted internal network and an untrusted, external network. Services that internal and external users must use are typically placed there, such as HTTP.
Gap analysis
The analysis of the differences between two different states, often for the purpose of determining how to get from point A to point B; thus, the aim is to look at ways to bridge the gap.
Impact
Best defined as an attempt to identify the extent of the consequences should a given event occur.
IPSec
Short for IP Security, an extended IP protocol that enables secure data transfer. It provides services similar to SSL/TLS.
Methodology
A set of documented procedures used for performing activities in a consistent, accountable, and repeatable manner.
Policy control
An analysis of the current state of the organization's policies.
Probability
The likelihood of an event happening.
Raw risk
The result of a formula used to calculate risk and vulnerability. IT is calculated as follows: Probability * Impact = Raw Risk.
Risk score
A way to analyze raw risk. It is calculated by multiplying probability by impact.
SCORE (Security Consensus Operational Readiness Evaluation)
A broad-based project that has developed minimum standards and best practice information that has been benchmarked for general use by industry at large.
Total risk score
A way to analyze total risk. It is calculated by multiplying the raw risk score by the level of control.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Risk-Assessment Methodologies
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Post-Assessment Activities
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template