Table of Contents

Introduction Information Security Lifecycle Network Vulnerability Assessment Do I Need to be a Technical Expert to Run an NVA? What Level of Skill Is Needed? Which Specific Skills Are Needed? Can One Person Run an NVA? Introduction to Vulnerability Assessment Goals of Vulnerability Assessment How Many Trees Should Die to Generate This Type of Report? What Are Vulnerabilities? Classes of Vulnerabilities Elements of a Good Vulnerability Assessment Project Scoping General Scoping Practices Developing the Project Overview Statement Developing the Project Scope Project Scope Document Project Scope Change Summary Assessing Current Network Concerns Network Vulnerability Assessment Timeline Network Vulnerability Assessment Team (NVAT) Threats to Computer Systems Other Concerns Additional Threats Prioritizing Risks and Threats Other Considerations Checklists Summary Network Vulnerability Assessment Methodology Methodology Purpose Definitions Justification Philosophy Top-Down Examination Bottom-Up Examination Network Vulnerability Assessment Methodology The NVA Process (Step-by-Step) Summary Policy Review (Top-Down) Methodology Definitions Policy Review Elements Summary Technical (Bottom-Up) Step 1: Site Survey Step 2: Develop a Test Plan Step 3: Building the Toolkit Step 4: Conduct the Assessment Step 5: Analysis Step 6: Documentation Summary Network Vulnerability Assessment Sample Report Table of Executive Summary Body of the NVA Report Summary Summary Appendixes ISO17799 Self-Assessment Checklist Window NT Server 4.0 Checklist Network Vulnerability Assessment Checklist Pre-NVA Checklist Sample NVA Report NIST Special Publications Glossary of Terms