Network Vulnerability Assessment Methodology 61
thoroughly as is feasible. If you discover any highly critical breaches of security,
you should inform the appropriate persons immediately, and suggest appro-
priate countermeasures. Your hands-on investigation will, at a minimum, cover
the following areas:
Computer operations and telecommunications
System and network configuration
Network access and practices
Collect Additional Documents
During this phase you might come across areas not covered in the checklist
of documents above. Collect documents for these areas (e.g., company-specific
security implementations or policies) from the appropriate business units.
Note: A too rigid adherence to the questions and processes in this
manual may lead you to miss essential information. Be ready to pursue
an interesting avenue that may provide useful insights into the security
policies and practices at the client company. The questions are meant
to provide you with guidelines, not to restrict your judgment in pursuing
other investigative activities in support of the goals of the NVA.
Phase III: Analysis
The process of analysis actually begins with the acquisition of the first
document and only ends in the generation of the Draft Report during Phase
IV. Analysis spans most of the NVA process and generates the majority of
content in the report. The initial and ongoing analysis shapes and directs
further data collection and interviews. In the analysis phase, the objective is
to identify threats and vulnerabilities, and make recommendations to mitigate
the risks by implementing countermeasures. The ideal result of any analysis
is a workable and cost-effective balance among the parts of the risk equation.
During this phase, the NVA team will:
Review, interview, and inspect results and analyze data for security vul-
nerabilities; identify risks to client’s computing assets.
Evaluate vulnerabilities for possible controls or safeguards that can be
applied.
High risk levels may result from threats or vulnerabilities that are severe,
or from countermeasures that are weak. The key is to balance the threats and
vulnerabilities with affordable countermeasures. It is not possible to achieve
an environment in which there are zero threats and zero vulnerabilities, and
it is not possible for an organization to achieve low risk without some
investment in countermeasures.
Analysis of the previously collected data (from Phase II) can focus on
several different areas, both technical and policy related (see Exhibit 5). This