Risk Management: Vulnerabilities: How and when are information-related vulnerabilities assessed?
Options:Option 1: Only address vulnerabilities if consequences and threats justify the effort.
Option 2: Address vulnerabilities by expert facilitated reviews.
Option 3: Use a systems analysis approach to identification of vulnerabilities.
Option 4: Do penetration testing to identify vulnerabilities.
Option 5: Scan for known vulnerabilities using a vulnerability scanner periodically.
Option A: Use a fully detailed and experimentally validated attack graph methodology with timing in a systems analysis.
Option B: Use step-wise attack graphs based on estimates and experiments and combine them.
Option C: Use test results from threat-identified starting points.
Option D: Use testing from a small number of internal test points.
Option E: Use testing from a small number of external test points.
Basis:Only address vulnerabilities if consequences and threats justify the effort.
Since assessing vulnerabilities at a detailed level is expensive and potentially generates an enormous list of mechanisms, it is prudent when doing high quality vulnerability assessments to only do them for identified consequences and threats that justify the time, effort, and expense, and to focus the effort on the issues that are most important.
Address vulnerabilities by expert facilitated reviews.
Experts are required in order to review vulnerabilities that involve non-automated attack mechanisms and vulnerabilities that are not solely based on software attacks against software mechanisms.
Use a systems analysis approach to identification of vulnerabilities.
Systems analysis consists of defining the information environment in a well-defined methodology as a system under design, and then doing systematic and detailed analysis of every aspect of the design against a defined fault model.
Do penetration testing to identify vulnerabilities.
Penetration testing is used to identify specific vulnerabilities, typically when they are in question. It can also be used as an effective demonstration of what experts assert to be true, and is at the heart of experimental vulnerability verification. It also helps to define times associated with steps in attack graphs and force level requirements for attacks.
Scan for known vulnerabilities using a vulnerability scanner periodically.
Vulnerability scanners look for known software weaknesses in known systems using automated mechanisms, and ignore the context of the situation and the implications of different results. If incorrectly used, they can be confusing and cause wasted time and effort on irrelevant issues.
Use a fully detailed and experimentally validated attack graph methodology with timing in a systems analysis.
This approach produces a graph which defines all feasible event
sequences with potentially serious negative consequences from all
starting points and for all ending points, and the timing associated
with them. For this graph, a detailed analysis can be made of all cuts
to all attack graphs to determine whether each of a defined set of
defensive strategies will work and how well.
Use step-wise attack graphs based on estimates and experiments and combine them.
This approach creates small attack graphs that characterize sequences of steps in an attack within an overall structure. The steps are then later combined to create an approximate overall attack graph. Timing can be added if desires, and analysis can be done on the combined attack graph, however, some of the contextual information that would be present in a more complete attack graph approach will be missing and results will be that much less certain. Typical steps include a subset of the following steps. Note that the term "facility" may be informational or physical or combinations thereof. At any step, the attacker may be able to fulfill their goals, and if so, may do so without or while skipping further steps.
Use test results from threat-identified starting points.
In this case, tests are undertaken from different starting points under the appropriate assumptions for the identified threats.
Use testing from a small number of internal test points.
In this case, a small number of internal test locations are used to source testing. This models insiders starting at different inside locations.
Use testing from a small number of external test points.
In this case a small number of external testing points are used to source testing. This models outsiders starting at different outside locations.