How to obtain a high quality vulnerability assessment

• Conduct protocol-specific checks (e.g., check for the ability to use vrfy or expn commands on an SMTP server)
• Check for default vendor passwords
• Conduct application specific checks (e.g., check for vulnerable CGI scripts on a Web server)
• Check for weak passwords and permissions (if appropriate per the rules of engagement)

Define the scope of the assessment

Once you've identified an assessor, sit down with him and define and document exactly what will be covered. Do you want to evaluate only certain servers on your network or do you want to review all of your information systems and security practices? A vulnerability assessment can include one or more of the following:

• Detection and identification of information system vulnerabilities, both from the Internet and from an organization's internal network
• Detection and identification of open ports and available services on specific information systems
• Detection and identification of specific application vulnerabilities
• Detection and identification of modems (for war dialing)
• Attempts to obtain unauthorized data or access from an organization's employees (social engineering attempts)
• Attempts to gain unauthorized physical access to an organization's information systems (physical penetration test)

In general, it's better to conduct the most comprehensive evaluation possible, but political and financial considerations may not always allow this. You should define and document an assessment that is reasonable and appropriate for your organization. The scope documentation provides a framework for the assessment and can be used as a baseline for future assessments.

Set rules of engagement

Next, define the rules that will govern the assessment. Typical questions that need to be answered include:

• Should discovered vulnerabilities be exploited or only recorded?
• What type of attack methods can be used (social engineering, denial of service, war dialing, etc.)?
• At what times can the assessment occur?
• Are there certain types of information systems that should be excluded from the assessment (e.g., those providing medical services)?

The rules should be appropriate and reasonable for your organization and should support the overall scope of the assessment.

Defined and documented rules of engagement are necessary to ensure that a vulnerability assessment does not disrupt your organization. A high quality assessor never exceeds the rules. Avoid assessors who are unwilling to establish rules of engagement.

Identify vulnerabilities that require immediate notification

All vulnerabilities are not equal. Some clearly pose more risk than others. A high quality assessor will interpret and prioritize discovered vulnerabilities so that your organization can focus on the important ones. Your assessor should also explain the risks of specific vulnerabilities so that their prioritization is understood.

On the other hand, the assessor should not wait to put serious vulnerabilities into a final report. For example, you should be notified immediately of a vulnerability in a database containing significant amounts of financial data that will likely and easily result in the misuse or abuse of the data from the Internet. Expeditious reporting will enable you to quickly mitigate these threats. You should work with the assessor to define and document the types of vulnerabilities that need to be reported quickly, as well as how and to whom the report will be made.

Vulnerability assessments are crucial for ensuring the security of your information systems and should be done on a regular basis. Follow these suggestions and you'll receive a high quality vulnerability assessment that reasonably and efficiently identifies vulnerabilities on your information systems and presents realistic and cost-effective measures to mitigate them.

About the author
Steven Weil, CISSP, CISA, CBCP is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, Wash. Steven specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning and security assessments. He can be reached at sweil@sla.com.

• The FDA's regulation for the use of electronic records and signatures
• Conducting an effective business impact analysis

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies Easing e-discovery preparation by mapping enterprise data Database patch denial: How 'critical' are Oracle's CPUs? Security breach management: Planning and preparation The ins and outs of database encryption Failure mode and effects analysis: Process and system risk assessment Data loss prevention (DLP) tools: The new way to prevent identity theft? IT GRC: Combining disciplines for better enterprise security Partner access: Balancing security and availability Enterprise data management: Analyzing business processes and infrastructure for data protection Filtering log data: Looking for the needle in the haystack Vulnerability Assessment Security data lapses hamper researchers Database patch denial: How 'critical' are Oracle's CPUs? Is attack code valuable for vulnerabilities or just a publicity stunt? Will the features of Windows Vista SP1 encourage wider adoption of the OS? Is a Master Boot Record (MBR) rootkit completely invisible to the OS? How to install and configure Nessus Nessus: Vulnerability scanning in the enterprise Nessus 3 Tutorial Security Services: QualysGuard Security and Compliance Suite HP aims at IBM with application vulnerability scanning as service Vulnerability Assessment Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com) risk analysis  (SearchSecurity.com) vulnerability analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.