Technical (Bottom-Up) Methodology 93
you will conduct. For the site survey, you really just need to know if it is
going to be included. However, even if a formal physical security review is
not necessary on your target network, keep your eyes open for potential
physical gaps in security. This is more applicable if you are a consultant than
if you are running the NVA from inside your target organization. This is due
to the fact that if you are an employee of the organization for which you are
performing the security review, you will already know where the physical
security holes are.
Having determined the media types, the concentrator types, the number
and type of operating systems, the start and stop point of the target network,
the network protocols in use on the target network, where the sensitive
information is located, the number of servers, and whether or not you need
to look at the physical security of your network, then you are finally finished
with the site survey. All of this information becomes very important for the
next step — developing a test plan. However, oftentimes you cannot get
answers to all the questions in the site survey. This may be due to a new
network administrator, a very large network, or just a general lack of docu-
mentation on the target network. To overcome any of this difficulty, you may
want to employ a network discovery tool. These tools are listed later in the
chapter under the heading “Zero-Information-Based Tools” (see Step 3). These
tools may also be worthwhile as a verification component to your site survey.
Not that anyone would ever intentionally mislead you, but it may be best to
check your answers personally.
Step 2: Develop a Test Plan
The next step in the six-step process is developing a good test plan for
executing the NVA. A key area that your test plan will help with is in the
testing for new and sometimes high-profile vulnerabilities. From time to time,
some computer vulnerabilities get enough attention that they make their way
to mainstream news outlets such as CNN or USA Today. Code Red, Nimda,
and the recent series of vulnerabilities inside SNMP are great examples. With
that being said, it is very difficult to constantly keep up-to-the-minute infor-
mation on what the latest vulnerabilities are. Most people who run an NVA
do not run NVAs as their only job function. If this is true for you as well,
then you will need to get the latest information from Internet sources that
maintain up-to-date vulnerability assessment information. The next subsection
(“Internet Sources”) discusses some of the Internet sites that keep information
on hacking, vulnerabilities, and other components of the Internet’s under-
ground. The list is by no means an exhaustive list of sites that house this kind
of information but it should provide a good starting point for your research.
It is also important to note that during this phase it might seem like an
easy chance to come up with a checklist of vulnerabilities to look for. In fact,
we have included many checklists in this book. However, you should never
use a checklist as an exhaustive list of tests to run on your target network.