Vulnerability Identification

A vulnerability is a weakness in a system or its protections that could be exercised, creating a breach in the security protection of the system. The goal of this step is to come up with a list of vulnerabilities that could be exercised by potential threat sources.

Vulnerabilities can be identified from lists and advisories on common vulnerabilties and also by testing the system.

Once a list of vulnerabilities that might be exercised against the system have been identified, they should be matched up against the threat sources that were previously identified, so that overall risk can be determined.

uncertainty

Vulnerability lists

Databases – NIST National Vulnerability Database
Vendor advisories – Google directory of computer security advisories and patches
CIRT lists and bulletins

System testing

Vulnerability scanning (see control RA-5)
Penetration testing
Security controls assessment (see control CA-2)
Previous risk assessment documentation

Security Requirements Checklist
The security requirements checklist contains the basics to evaluate and identify the vulnerabilities of information system assets, procedures, processes and information. The purpose is to determine whether security requirements are being met by either existing or planned controls.

KEY NIST DOCS:
800-42 “Guideline on Network Security Testing”
800-40 “Creating a Patch and Vulnerability Management Program”
800-115 “Technical Guide to Information Security Testing”

Categories: Risk Assessment
Tags: NIST Computer Security, RA-5, Risk Assessment, risk management, SANS, testing, US-CERT, vulnerability identification, vulnerability scanning

By Omar Fink on September 21st, 2008

You must be logged in to post a comment.

HackingTheUniverse

Vulnerability Identification

Leave a Reply

Solve the puzzle

Links We Like:

InfoSec

other

Singularity