TABLE OF CONTENTS Vulnerabilities exist; they always have and always will. Just think of the potential impact to the economy if vulnerabilities weren t present, at least in commercial-grade products. Would major organizations still invest in a security program? What sort of work would we be doing, if not security? As security practitioners and business leaders, we must realize that vulnerabilities are a part of life; a part of our consumption of technology. As such, we must practice due diligence in ensuring that vulnerabilities don t represent an undo liability to our organization, creating an unacceptable level of risk. This chapter focuses on what a vulnerability assessment is; traditional and alternative methods for discovering vulnerabilities; and the importance of seeking out vulnerabilities.
One might equate a vulnerability assessment (or VA) to a reconnaissance mission within the military. The purpose of the recon exercise is to go forth, into foreign territory, and ascertain weakness; vulnerabilities within the opposition. Upon completion of the exercise, military commanders should have greater insight and intelligence regarding their target(s); knowing its strengths as well as its weaknesses. Like reconnaissance missions, vulnerability assessments are security exercises that aid business leaders, security professionals, and hackers in identifying security liabilities within networks, applications, and systems.
In this section, we ll discuss the steps involved in conducting a vulnerability assessment: information gathering/discovery, enumeration, and detection. This section will provide an introductory view to vulnerability assessment. The next chapter will dive into the how-to and technical details associated with vulnerability assessments.
