Chapter 9.

Vulnerability Assessment

Given the time, resources, and motivation, a cracker can break into nearly any system. At the end of

the day, all the security procedures and technologies currently available cannot guarantee that your

systems are safe from intrusion. Routers can help to secure your gateways to the Internet. Firewalls

help secure the edge of the network. Virtual Private Networks can safely pass your data in an encrypted

stream. Intrusion detection systems have the potential to warn you of malicious activity. However, the

success of each of these technologies is dependent upon a number of variables, including:

The expertise of the staff responsible for configuring, monitoring, and maintaining the technologies

The ability to patch and update services and kernels quickly and efficiently

The ability of those responsible to keep constant vigilance over the network.

Given the dynamic state of data systems and technologies, securing your corporate resources can be

quite complex. Because of this complexity, it may be difficult to find expert resources for all of your

systems. While it is possible to have personnel knowledgeable in many areas of information security

at a high level, it is difficult to retain staff who are experts in more than a few subject areas. This

is mainly because each subject area of Information Security requires constant attention and focus.

Information security does not stand still.

9.1. Thinking Like the Enemy

Suppose you administer an enterprise network. Such networks are commonly comprised of operating

systems, applications, firewalls, intrusion detection systems, and more. Now imagine trying to keep

current on every one of these. Given the complexity of today's software and networking environments,

exploits and bugs are a certainty. Keeping current with patches and updates for an entire network can

prove to be a daunting task in a complex organization with heterogeneous systems.

Combine the expertise requirements with the task of keeping current, and it is inevitable that adverse

incidents occur, systems are breached, data is corrupted, and service is interrupted.

To augment security technologies and aid in protecting systems, networks, and data, think like a

cracker and gauge the security of systems by checking for weaknesses. Preventative vulnerability

assessments against your own systems and network resources can reveal potential issues that can be

addressed before a cracker finds it.

A vulnerability assessment is similar to an internal inquiry of your network and system security;

the results of which indicate the confidentiality, integrity, and availability (as explained in Section

1.1.4). A vulnerability assessment will typically start with an information gathering phase during

which important data regarding the target will be gathered. This phase will lead to the actual checking

phase, whereby the target is essentially checked for all known vulnerabilities. The checking phase

culminates in the reporting phase, where the findings are classified into categories of high, medium,

and low risk; and methods for improving the security (decreasing the level of vulnerability) of the

target are discussed.

If you were to perform a vulnerability assessment of your home, you would likely check each door to

your home to see if they are shut and locked correctly. You would also check every window, making

sure that they shut completely and latch correctly. This same concept applies to systems, networks,

and electronic data. The process of checking for weaknesses is the same. Only the targets are dif 

ferent. Malicious users are the thieves and vandals of your data. Focus on their tools, mentality, and

motivations, and you will begin to think like them.