Collecting the Majority of Vulnerabilities

This chapter discusses vulnerability scanning and host evaluations in relation to the INFOSEC Evaluation Methodology (IEM). This section of the evaluation requires much more thought than perhaps was initially considered. Modern INFOSEC tools simplify the task of gathering the suspected vulnerabilities, but the tools do not replace the evaluator's intellect, ability to reason, knowledge, and experience. The evaluator brings his or her skills, technical and nontechnical experience, and appropriate knowledge base to the evaluation efforts. The chapter starts with a reminder of the phase of the IEM in which vulnerability scanning takes place. Thereafter, it discusses the subject of vulnerability scanning. It introduces the risk triangle to show where vulnerabilities impact an organization's INFOSEC posture and risk profile. The tools section of the chapter lists several vulnerability scanning tools, provides screen captures to familiarize with the various interfaces to the tools, and briefly notes items of interest regarding each tool.