Home page logo

basics logo Security Basics mailing list archives

Re: Vulnerability Assessment Checklists?
From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Wed, 3 Dec 2003 08:35:06 -0800 (PST)

Well said by Harlan, 

Just to reiterate, fundamentally the client's objectives will be: 
- to identify real vs. perceived risks, 
- to evaluate that where does the risk fall with reference to the prior accepted and notified residual risk; 
- to prioritize rectification strategy accordingly.

Apart from that, the client will also expect to know the unascertained "areas of improvement"

Techno-babble, might impress their IT staff, but for the management Business risk is more important than just the 
Technology risk.

Focus more on identifying business risks out of the conventional technology risks; and for that purpose, identification 
of primary area of focus will vary in view of scope, situation, objectives and performance indicators.

Try to answer the following before and after an engagement:

- Business Understanding
- Identified Risks
- Expectations
- Scope Limitations
- Measurement Criteria
- Do's & Don'ts
- Timelines
- and above all "Value Proposition"

Muhammad Faisal Rauf Danka

--- H Carvey <keydet89 () yahoo com> wrote:
In-Reply-To: <BAY2-F52x8VUkRacUtI000005ed () hotmail com>


Since I've never evaluated the security posture of a company before I could 
use some resources on how to best get started. They run the gamut from P2P 
to WANs. Of course, I want to give them some value while gaining valuable 
experience for my resume.

From my experience, the best way to "add value" to something like an assessment is to evaluate security based on the 
their business processes and needs.  Technical information is easy to obtain...it wasn't too long ago that "security 
consulting firms" simply had their "consultants" run ISS.  Even now, many reputable firms don't do much beyond running 
a commercial scanning tool.

The real value comes when you can assess the security based on the business needs/processes of the client, and provide 
reasonable recommendations for improvement, if they're called for.  The things you mentioned...P2P, WAN, etc...are all 
part of the picture.  You'll want to look at a variety of areas, including but not limited to WLAN, user acct mgmt, 
host-based security, etc, etc.

Hope that helps.  Contact me off list if you want to discuss this.





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]