76 Managing Network Vulnerability Assessment
could have) on the organization’s ability to do business. In addition to
vulnerability identification and risk evaluation, the NVA team also provides
recommendations to mitigate the risks. These recommendations (software,
hardware, policy, and practice) should be nonjudgmental. Suggested products
are usually included in the Appendices.
Example subsections are provided in the Draft Report template, and com-
pleted examples are available in the Sample report for the Bogus Corporation
(see the Appendices). You may find that other subsections need to be included
for the particular client.
Resources for completing your Analysis section will include all of the profile
reports (documents, interviews, and hands-on investigation) known vulnera-
bilities reports and bulletins (see Appendices), online bug tracking information
and known threats (see Appendices), follow-up interviews, and additional site
visits, if they occur.
Because this is the largest section of the report, and requires the most
amount of work, it is best divided among the appropriate NVA team members.
For example, those NVA team members with strong skill sets in UNIX controls
and NT security should generate the Analysis sections pertaining to those
systems, NVA team members with a strong skill set in security policy analysis
should be responsible for generating that subsection of Analysis, and so on.
It is important to remember that an NVA is not a security audit. The level
of detail in technical analysis (i.e., system configuration, account permissions)
should remain fairly high level and point out only the most critical issues. It
should be made clear to the sponsor that this is not an audit, but it does
provide a foundation of and justification for performing an audit.
Conclusions
This section reviews the nonjudgmental recommendations for minimizing
vulnerabilities and mitigating risks detailed in the previous section (Analysis).
These recommendations are ranked in order of their critical importance. This
section concludes with a summary table listing all recommendations in order
of importance (risk levels).
This section is essentially a summary of the previous section with emphasis
placed on recommended mitigation and countermeasures. The subsections
are limited to the areas of security that most critically need attention. The
recommendations offered in the Executive Summary should map to the rec-
ommendations in this summary.
Summary Table of Risks
This table presents brief summaries of all the reported vulnerabilities, associ-
ated risk, and your recommendations in a conveniently organized table. These
items are organized into the three main sections of risk: high, medium, and
low. Within each risk section, the items are roughly organized in order of
criticality, with the item at the top of each category being the most important.