| A vulnerability assessment is used to quantify a | | | | scan tools will also be defined. This can include tools |
| system's risk posture based on the system's IT | | | | such as Nessus and STAT. |
| exposure. The risk is defined as a function of threats, | | | | The roles and responsibilities are also defined. This |
| vulnerabilities, and asset value. An example of a threat | | | | includes roles such as who is going to execute the |
| is a disgruntled employee attempting to gain | | | | vulnerability scans, who is going to monitor the testing, |
| unauthorized access to the system. An example of a | | | | and who to notify if there are denial of service |
| vulnerability is a system that does not require | | | | conditions detected. The stakeholders' contact |
| authentication for system access via the Internet. | | | | information is exchanged so that communication can |
| Assets with high value could be defined as systems | | | | be facilitated during the testing. |
| with sensitive information, such as social security | | | | The test plan defines the testing in more granular form. |
| numbers. | | | | The test plan specifies what configurations are used |
| The main steps in conducting a vulnerability | | | | on the vulnerability scanners, what IP addresses are |
| assessment are gathering the requirements, defining | | | | scanned, how the testing is conducted, and procedures |
| the scope, identifying roles and responsibilities, | | | | for halting the testing. |
| developing the test plan, executing the testing, and | | | | Executing the testing includes setting up at the testing |
| documenting the results. | | | | sites, plugging into the network, and executing the |
| The first step is gathering the requirements. A | | | | vulnerability scans. The vulnerability scans can produce |
| Statement of Work is an agreement between the two | | | | hundreds of pages of data. |
| parties that defines the work involved, the scope of | | | | Documenting the results is the final stage. The |
| work, the parties involved, and the time and dates of | | | | vulnerability report that was generated by the |
| execution. The vulnerability assessment team reviews | | | | vulnerability assessment tool is reviewed by the |
| the Statement of Work and gathers additional | | | | assessment team for false positives. This phase is |
| requirements from the client. Additional requirements | | | | done with the system administrators who help the |
| could include details such as specifying the types of | | | | assessment team gather the necessary information |
| testing that are not in the scope (e.g. Denial of Service) | | | | for identifying false positives. For example, a |
| or defining reporting requirements. | | | | vulnerability scanner may identify Linux vulnerabilities on |
| Defining the scope is the next step. The client will | | | | a Windows system. This could be identified as a false |
| provide a systems inventory and locations of sites that | | | | positive. The final results are compiled into a report. |
| will be tested during the vulnerability assessment. | | | | The report contains an executive summary of the |
| Additionally the client will clarify which system | | | | major vulnerabilities that are found, risk levels |
| components will be tested (e.g. databases, web | | | | associated with the vulnerabilities, and mitigation |
| applications). The type of vulnerability assessment | | | | recommendations. |