[Dshield] Risk Assessment
miles at mstevenson.org
Thu Oct 14 20:58:30 GMT 2004
> Without an enforced patch management process the network design can be
> susceptible to vulnerabilities from hackers, worms, and viruses.
All software can be susceptible to vulnerabilities if there are threats to
exploit those vulnerabilities, regardless of whether or not you have applied
all your patches. Patches fix vulnerabilities known to the vendor, while
failing to protect against vulnerabilities (except by accident) unknown to
I would say:
Without an enforced patch management process, the security plan becomes
considerably less effective at mitigating vulnerabilities exploited by an
> The current vulnerabilities inherent in Windows provides access to the
> network through attacks resulting in the ability to alter, destroy, or
> disclose data.
I can assure you that not all the current vulnerabilities "inherent" in
Windows are known. Not all of these vulnerabilities will provide access to
the network. Consider a race-condition vulnerability allowing privelage
escalation to a user account that does not have network privelages.
All vulnerabilities inherent in any computer system create the potential for
destruction of data, theft of data, corruption of data, or some combination
of the set.
> Without a process to provide information on security incidents to
> guide the network development and upgrade plan, the network design can
> be susceptible to vulnerabilities .
I think you are trying to reference part of the standard incident respose
cycle here, which would include applying "lessons learned" into the security
implementation to prevent further repeats of the same incident. I'm not sure
if you are asking a question here or not though.
> Without regular external penetration testing, the network may be
> susceptible to external attacks by hackers.
Again, "regular penetration testing" will not make your network
not-susceptible (invulnerable) to external attacks. The goal of a penetration
test is to find as many of the exploitable vulnerabilities as possible (note
here that there IS such a thing as a vulnerability that has no potential for
exploitation, so this is important) and fix them before an attacker does. The
goal is NOT to make your security "perfect".
> Any other thoughts?
There are always more thoughts!
I realize that it may seem I'm being picky about correct definitions and use
of terminology in my corrections, but its extremely important to fully
understand these definitions in order to benefit fully from their proper
application. Hope that helps.
miles at mstevenson.org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20041014/25760291/attachment.bin
More information about the list