Introduction 5
with all the default options, have it generate a default report, and then print
out thousands of pages with every vulnerability inside a client’s domain —
all the way from huge vulnerabilities such as a nonpassword-protected telnet
session on the company’s primary Internet router, down to very small vulner-
abilities such as a workstation responding to a ping. This method delivers a
significant number of pages for the customer to read, and a very thick binder
that will look impressive sitting on a shelf of the CSO’s office for years to
come. The question lies in the value of this type of vulnerability assessment.
As a consultant, we sometimes get asked to perform this kind of NVA.
Sometimes, the customer just wants someone to come into their network and
run ISS Internet Scanner, and then go home. I try to discourage the customer
from selecting this type of NVA; however, it often proves more difficult to
dissuade the salesperson from selling this type of engagement than to change
the customer’s mind. However, NVAs are an important tool in the defense of
computer systems and networks. Many information-seeking professionals rely
solely on the latest available scanning tools to perform assessments; but
scanners are only one part of a complete vulnerability assessment. Overreliance
on them can leave holes in the assessment, thereby compromising information
security.
In a perfect world the actual goal of an NVA is to produce useful results.
A handy thing to remember is that useful to one type of individual is not
necessarily as useful to other types of people. For example, a CEO is going
to care little about the details of a potential security hole involving malformed
ICMP packets, but this type of information is going to be very useful for the
technician who may be charged with the task of fixing the problem. The CEO
is more likely to be concerned with how the entire security system is doing
compared to evaluation criteria or industry standards.
To help produce useful results, the amount of data given in a final report
must be readable by the audience desired for each segment. Typically, an
NVA report will begin with a one-page summary detailing how the security
of the customer is doing in general. This is intended for senior management
types to read. Following this section of the report is the general opinion
section. This section is intended to be for line managers who will want more
level of detail than senior management, but not as much as the company
technicians who will be more interested in the next section.
The next section of the report has the specific vulnerability findings from
the assessment. In this area, vulnerabilities are listed by name with a description
of the vulnerability, why this vulnerability is important to fix, the areas of the
enterprise that could be affected by this vulnerability, and finally the steps
needed to fix the hole from a high level of detail.
After the three aforementioned sections, the next section details what you
did as part of the NVA and what you would have liked to do. The first
component describes how you would typically run an NVA and the steps
involved. The second component shows what deviations from your normal
testing policy you followed at the customer’s wishes. This is where you can
get even with the customer who just wanted to have you come in, run a single
tool, and then leave. It also stops would-be vulnerability assessment runners