Introduction

This chapter will begin our discussion of developing a vulnerability assessment (VA) methodology, by outlining the first steps to performing a proper vulnerability assessment. A vulnerability assessment is different from a penetration test in that typically you perform a VA with broad knowledge of the environment you are testing; as you will learn in an upcoming chapter, a pen test is typically more in-depth and focused. The purpose of a vulnerability assessment, as we previously discussed, is to take a broad snapshot of an environment that shows exposures to known vulnerabilities and configuration issues. Note the wording in that last sentence: known vulnerabilities and configuration issues. If your goal is to find new vulnerabilities, a VA tool will not help you.

If we, the authors of this book, have done our jobs correctly, you will be able to use what you ll learn in these chapters to create your own vulnerability assessment methodology.

The first two chapters of this book demonstrated the importance of vulnerability management, what vulnerabilities are, and what they mean to an organization. In Chapter 2, we discussed at a high level the basics of vulnerability assessment. In this chapter, we will provide examples of how to perform a vulnerability assessment. Whether your network is small or large, the basic VA framework is the same, but in some cases, the tools you can use differ. We will point out variances that may occur depending on the size of your network, as well the different tools you...