8.1 Overview of Process 6
Process 6 is a data collection and analysis task. When you started the evaluation, your objective was to understand your organization's information security risks. To examine your risk, you needed to focus on the individual components of risk: asset, threat, vulnerability, and impact.
Prior to this point in the evaluation, you have identified your critical assets, the threats to the assets, current security practices used by your organization, and organizational vulnerabilities present in your organization. It is now time to take another step toward completing the picture of risk by setting your sights on the infrastructure.
Process 6 Workshop
Process 6 is unique because it requires the completion of a major technical task prior to the workshop. The task involves running vulnerability evaluation tools on the key infrastructure components that you identified in process 5. Depending on the approach that you selected during process 5, either your managed service provider, members of your organization's information technology staff, or external experts conduct the vulnerability evaluation. In any case the people who run the tools must also review and analyze the results and prepare a preliminary summary of technology vulnerabilities prior to the process 6 workshop. Running vulnerability evaluation tools and preparing the preliminary summary can take up to several days to complete. Table 8-1 summarizes what must be accomplished prior to the workshop.
The process 6 workshop includes the core analysis team members, selected members of the information technology staff, and the people who performed the vulnerability evaluation. It can be conducted in about two to three hours. For process 6, the leader must also make sure that the technology evaluation task is completed prior to the workshop and that the people who conducted the evaluation are ready to present the preliminary summary.
You conduct only one activity during the process 6 workshop. Before you start the workshop, review the activity and decide whether your team collectively has the required knowledge and skills to complete all tasks successfully. We suggest that your team members have the following skills:
Table 8-2 highlights the process 6 workshop activity.
Catalog of Vulnerabilities
During process 6, you run vulnerability evaluation tools on your organization's systems and networks to identify the technological weaknesses in selected infrastructure components. The tools examine each component for known weaknesses (exploits) and misconfigurations, also known as technology vulnerabilities. Technology vulnerabilities change constantly. To effectively evaluate your systems and networks for technology vulnerabilities, you need to make sure that your tools are examining components for the latest set of known weaknesses.
To ensure that you are evaluating components for all currently known technology vulnerabilities, you must select tools that are designed to examine specific components and are aligned with an established catalog or collection of vulnerabilities. A catalog of vulnerabilities contains a listing of known technological weaknesses, based on platform and application. At the time of writing this book, the one broadly recognized catalog of vulnerabilities was MITRE's Common Vulnerabilities and Exposures (CVE), collaboratively developed by representatives across the community and maintained by the MITRE Corporation.
"CVE is a list of standardized names for vulnerabilities and other information security exposures—CVE aims to standardize the names of all publicly known vulnerabilities and security exposures."
CVE is not considered to be a database; rather, it is a list or dictionary that provides common names for publicly known vulnerabilities [Merkow 00]. A common naming convention enables effective communication about vulnerabilities, their potential impact, and approaches for addressing them. Thus, CVE enables open and shared information among vulnerability databases and tools without any distribution restrictions.
Individual vulnerability tool providers generally use their own vulnerability databases, which are often consistent with CVE. The CVE Web site provides considerable information on the contents of the CVE list, how it was developed, and how it continues to be updated. CVE information can be downloaded free or searched online.
The CERT© Coordination Center's (CERT/CC) Vulnerability Notes Database also provides a source of vulnerability information based on an analysis of the reports CERT/CC receives. The Vulnerability Notes Database is a Web-based, searchable collection of the CERT Vulnerability Notes. The database can be searched by several fields (including the CVE name) and supports customized queries. It is also fully CVE compatible.
This chapter addresses software-based vulnerability evaluation tools rather than checklists and scripts. Most organizations rely on commercial or freeware tools to perform vulnerability evaluations, rather than more time-consuming checklists and scripts. You need to make sure that any software tool you use is consistent with a catalog of vulnerabilities, such as CVE. Check with your vendor or examine the tools for yourself.