8.2 Before the Workshop: Run Vulnerability Evaluation Tools on Selected Infrastructure Components

The focus of this activity rests squarely on the computing infrastructure. You goal is to make sure that each component you selected during process 5 is evaluated against known technological weaknesses to see which are present in that component.

Staff members from your information technology department, or possibly external experts, take lead roles in process 6. Remember, it takes specialized information technology and security knowledge to run the tools and interpret the results. You need to make sure that you have the right people engaged in this part of the evaluation.

Step 1: Run Vulnerability Evaluation Tools

In this step you conduct the vulnerability evaluation by running the vulnerability evaluation tools you selected during process 5. Before you use the tools, you must verify that

• The correct tool(s) is being used

• The latest version of the tool(s) is being used

• All necessary approvals have been obtained and all affected personnel have been notified

You should always make sure that you have proper permission and management approval prior to running vulnerability evaluation tools on your networks. Your organization's information technology department should have procedures for obtaining approval to use the tools. You should notify personnel who may use or rely on the systems and networks being evaluated in case something unexpected happens and they lose access to the asset(s).

Run the tools on the selected components. Remember, designated people with information technology skills lead this activity. Members of the analysis team can be present to observe the evaluation or participate in it directly, if appropriate.

In our sample scenario, three members from ABC Systems led the vulnerability evaluation for MedSite. The analysis team member with information technology skills participated in the evaluation, as did two other information technology staff members from MedSite who wanted to learn more about vulnerability tools. They used a suite of commercial and freeware tools that were approved for use according to ABC Systems' policies and procedures. The staff members from ABC Systems knew how to run the tools, which they used on a regular basis. The staff members helped the members from MedSite to become familiar with the tools and how they are used.

Prior to running the tools on MedSite's networks, the analysis team and the staff from ABC Systems made sure to obtain approval from MedSite's management. Everyone agreed that the tools should be run after standard working hours at MedSite to minimize any problems that might occur. At that point, they ran the tools. Figure 8-1 shows the components at MedSite on which the vulnerability evaluation tools were run. Note that despite their efforts to gain approval, they were blocked from looking at home machines due to corporate policy.

Step 2: Prepare Preliminary Vulnerability Summary

After you have completed step 1, you have to review the reports generated by the tools. Software vulnerability evaluation tools typically produce the following types of information for each component:

• Vulnerability name

• Description of the vulnerability

• Severity level of the vulnerability

• Actions required to repair the vulnerability

During step 2, you review the detailed vulnerability reports, interpret the results, and create a preliminary summary of the technology vulnerabilities for each key component. A vulnerability summary should state how many vulnerabilities should be fixed immediately (high-severity vulnerabilities), how many should be fixed soon (medium-severity vulnerabilities), and how many should be fixed later (low-severity vulnerabilities).

Note that the severity levels defined above are a basic set used to indicate how soon action should be taken to address vulnerabilities. The levels are contextual for any organization, and you should tailor them to meet your organization's needs. Some tools identify severity levels for vulnerabilities but interpret high, medium, and low severity differently.

The need for a preliminary summary is based on the assumption that the vulnerability evaluation is not conducted by all of the analysis team members. Software vulnerability evaluation tools produce very detailed reports that are not easily understood by personnel who do not have information technology and security backgrounds. Remember that the analysis team includes business staff members who probably do not configure and manage systems on a day-to-day basis.

If additional information technology staff members or external experts conduct the evaluation, a preliminary vulnerability summary is necessary to communicate vulnerability information to the core analysis team members. The summary should be presented to the analysis team during the process 6 workshop. However, if all core analysis team members are able to participate actively in the vulnerability evaluation, you can wait until the workshop to analyze and interpret the results.

Let's go back to our example. The staff members from ABC Systems and MedSite first established severity levels for technology vulnerabilities, shown in Figure 8-2.

Next, they analyzed the reports generated by the tool and interpreted the results, creating a preliminary summary for the key components. That summary is shown in Figure 8-3.