Managing A Network Vulnerability Assessment

The book clearly favors management skills over technical ones. It contains many valuable tidbits on things like proper process, methodology, policy, planning and organization. Project scoping is well-covered as well as documentation development (looks good for consultants). The book also relates its assessment methodology to ISO 17799 standard.

The book advocates a holistic approach, assessing both policy and technical vulnerabilities and not just scan-and-leave. It contains a nice policy review guidelines by the area of security policy. On the other hand, the section on actually conducting the technical assessment is two pages long out of the books's 186 total number of pages. Lots of "what" with little "how".

The technical tools section is a joke. Some examples include: "tcpdump" is absent from the sniffers section, "nmap" - from scanners (mentioned twice in application fingerprinting tools though), queso (which is not currently updated) is recommended, NetSonar is called a promising scanner (the product is long discontinued). You wouldn't believe it was supposedly written in 2003! Other tool descriptions are generic and seem inspired by product web pages rather than the actual tool use. In addition, there is nothing worse than outdated website guide and this book is firmly there :-) No Google, attrition.org is described as a major defacement mirror (its that no more), etc.

It is interesting how authors define "vulnerabilities" as published holes or even well-publicized ones (since, according to them, even a web post to a "less known website" supposedly doesn't make the vulnerability public!) Thus, the book is mostly about 'script kiddie defense'. But then again - it does make sense to start somewhere and if you are being constantly "owned" by such attackers - you clearly need to work on your vulnerabilities.

Overall, the information in the book is well-organized, I liked chapter summaries and lots of various assessment checklists. Beware of typos though, the book has lots of them.

Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org

Rating:
Summary: Read this book before you scan
Review: When performing vulnerability assessments, a mistake many people make is that they will use simply run some software tools, without taking a big picture look at things.

Such a haphazard approach will not be effective for large enterprise networks. With that, Managing A Network Vulnerability Assessment, gives the reader a all-inclusive framework for running a network vulnerability assessment.

The book goes over issues such as scooping, assessment and scanning methodologies, reports, etc.

The main part of the book is quickly readable at 187 pages.

Appendix A is an ISO 17799 self -assessment checklist, which can be used to validate a system to an external reference. There are a few other checklists.

Before anyone blindly runs a network scanner, they should read this book first to ensure that their scanning is done effectively and productively.