Vulnerability assessments quantify the system’s risks according to its IT exposure. The risks are defined as a function of asset value, threats and vulnerabilities. An asset with a high value is a system that has sensitive information like social security numbers. A threat could be an unhappy employee trying to gain unauthorized access to the system. A vulnerability could be a system that doesn’t require authentication to give access via the internet.
The main steps involved in making network vulnerability assessment reports are gathering requirements, defining the scope, defining the responsibilities and roles, forming a test plan, executing the plan and making a report of the results.
The vulnerability assessment team firstly reviews the Statement of Work and gets additional requirements. The Statement of Work is an agreement signed by two parties that stipulate the work involved, its scope, which two parties are concerned and the date and time of the execution. The additional requirements could be things like defining the types of testing not in the scope (such as Denial of Service) or specifying reporting requirements.
Defining the scope
The vulnerability assessment team will be provided with the location of sites that are to be tested and the system inventory. In addition to that, the client will specify which components are to be tested such as web applications and databases. The vulnerability scan tools that will be used (such as STAT and Nessus) are also defined.
Defining the responsibilities and roles
The roles and responsibilities are also identified. This includes specifying who will keep an eye on the testing, who will execute the vulnerability scans, and who will be notified if Denial of Service conditions are detected. The contact information of the stakeholders is exchanged so that they can be reached easily during the testing.
Forming a test plan
The test plan defines how the testing should be conducted. It specifies the IP addresses that are to be scanned, the configurations that will be used on the vulnerability scanners, the process by which the testing will be done, and the process by which the testing can be stopped.
Executing the plan
At this stage, the team sets up at the testing sites, plug into the network and execute the vulnerability scans.
Making a report of the results
In this final step, the vulnerability assessment team reviews the report generated by the vulnerability assessment tool for false positives. They work with the system administrator to identify the false positives. For instance, Linux vulnerabilities may be identified on a Windows system by the vulnerability scanner, which is regarded as a false positive. After reviewing, a report is compiled which includes a summary of the vulnerabilities found, the risk level associated with them and recommendations to mitigate them.