50 Managing Network Vulnerability Assessment
organization’s ability to manage the security of its network. The results of the
top-down examination are used in the bottom-up examination. The NVA report
must make specific recommendations for solving identified problems and
suggests implementation strategies.
Bottom-Up Examination
The bottom-up examination concentrates on the hardware and software imple-
mentations of network security by assessing the network as a discrete entity
and by assessing the security of individual components. The NVA uses two
standards for the adequacy of the network’s security: (1) the results of the
top-down examination and (2) commonly accepted security practices, as
applied to the network environment and the current professional understand-
ing of network threats, vulnerabilities, and countermeasures.
Because most networks are quite extensive and the NVA team alone cannot
provide a comprehensive evaluation of the entire network and its devices, it
will be necessary to have the supporting infrastructure groups assist in running
diagnostic tests to determine the security of each class of network (e.g., routers,
bridges, gateways, hosts, servers, and cabling). This assessment identifies
concerns regarding the management, operation, and maintenance of the
network, including a security analysis of the areas listed in Exhibit 3.
The actual processes for the bottom-up examination are discussed in detail
in Chapter 6. This gives the NVA technical team an idea of the items that ISO
Exhibit 1. Network Vulnerability Assessment Top-Down, Bottom-Up
Methodology
Policy Review
Interviews
Security Culture
Assess Network
Run Tools
Generate Report
ISO 17799, HIPAA,
GLBA, GASSP
CERT, CIAC
Possible Threats
Results
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.