[Dshield] Risk Assessment

Miles Stevenson miles at mstevenson.org
Thu Oct 14 20:58:30 GMT 2004


> Without an enforced patch management process the network design can be
> susceptible to vulnerabilities from hackers, worms, and viruses.

All software can be susceptible to vulnerabilities if there are threats to 
exploit those vulnerabilities, regardless of whether or not you have applied 
all your patches. Patches fix vulnerabilities known to the vendor, while 
failing to protect against vulnerabilities (except by accident) unknown to 
the vendor.

I would say:

Without an enforced patch management process, the security plan becomes 
considerably less effective at mitigating vulnerabilities exploited by an 

> The current vulnerabilities inherent in Windows provides access to the
> network through attacks resulting in the ability to alter, destroy, or
> disclose data.

I can assure you that not all the current vulnerabilities "inherent" in 
Windows are known. Not all of these vulnerabilities will provide access to 
the network. Consider a race-condition vulnerability allowing privelage 
escalation to a user account that does not have network privelages. 

How about:

All vulnerabilities inherent in any computer system create the potential for 
destruction of data, theft of data, corruption of data, or some combination 
of the set.

> Without a process to provide information on security incidents to
> guide the network development and upgrade plan, the network design can
> be susceptible to vulnerabilities .

I think you are trying to reference part of the standard incident respose 
cycle here, which would include applying "lessons learned" into the security 
implementation to prevent further repeats of the same incident. I'm not sure 
if you are asking a question here or not though. 

> Without regular external penetration testing, the network may be
> susceptible to external attacks by hackers.

Again, "regular penetration testing" will not make your network 
not-susceptible (invulnerable) to external attacks. The goal of a penetration 
test is to find as many of the exploitable vulnerabilities as possible (note 
here that there IS such a thing as a vulnerability that has no potential for 
exploitation, so this is important) and fix them before an attacker does. The 
goal is NOT to make your security "perfect". 

> Any other thoughts?
There are always more thoughts!

Here's one:
I realize that it may seem I'm being picky about correct definitions and use 
of terminology in my corrections, but its extremely important to fully 
understand these definitions in order to benefit fully from their proper 
application. Hope that helps.

Miles Stevenson
miles at mstevenson.org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20041014/25760291/attachment.bin

More information about the list mailing list