6 Managing Network Vulnerability Assessment
from coming in and stating that they run a much more complete vulnerability
assessment and can provide more value than the vulnerability assessment that
you had run.
How Many Trees Should Die to Generate This Type of Report?
It all depends. Yes, this is the typical consultant answer for everything but a
good rule-of-thumb is that the report should be no more than 50 pages. Try
to keep the report in the 20- to 30-page range, but sometimes this just cannot
be done. This type of report may not look as impressive sitting on the shelf
behind the CSO. However, it is more likely to be read and used.
What Are Vulnerabilities?
Vulnerabilities are documented problems or errors that can be used maliciously
to make the system perform in a way unintended. There are undocumented
vulnerabilities in all systems but trying to test for the unknown will be a very
daunting task. We discuss in the application scanning tools section some tools
that will help look for vulnerabilities in the custom-written portions of Web-
enabled applications; but on the whole, a technical NVA will only look for
the holes that have been published. However, this is where the largest amount
of attacks will come from, as illustrated in Exhibit 2.
Vulnerability Discovered
In Exhibit 2, there are four different stages in the vulnerability life cycle. In
the first phase, ”Vulnerability Discovered,” is where someone uncovers the
vulnerability. This often happens through a Web site posting, where someone
Exhibit 2. The Vulnerability Life Cycle
Vulnerability
Discovered
Vulnerability
Announced
Vulnerability
Popularized
Vendor Issues
Patch
Time
Attack Frequency
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset