Possible vulnerability assessments need to be prioritized

• before running any vulnerability scan, need resources to
  • eliminate most false positives from the scan results
  • actually report each problem to someone who can fix it
  • answer questions about problem and fix details
  • answer questions about effects on non-vulnerable machines
  • accurately determine whether each problem was fixed
  • track and escalate all unfixed critical problems

• economy-of-scale issues can raise priority
• example: efficient for IS to check BIND problems campus-wide
• other prioritization: whatever action will maximize MIT's income
• (realistically: cause MIT to lose the least amount of money)
• only a small fraction of intrusions have cost beyond cleanup
• there are simple intrusions with high direct and indirect costs

• can one afford NOT to do vulnerability assessment?

Copyright 2000, Massachusetts Institute of Technology. All rights reserved.