Possible vulnerability assessments need to be prioritized
- before running any vulnerability scan, need resources to
- eliminate most false positives from the scan results
- actually report each problem to someone who can fix it
- answer questions about problem and fix details
- answer questions about effects on non-vulnerable machines
- accurately determine whether each problem was fixed
- track and escalate all unfixed critical problems
- economy-of-scale issues can raise priority
- example: efficient for IS to check BIND problems campus-wide
- other prioritization: whatever action will maximize MIT's income
- (realistically: cause MIT to lose the least amount of money)
- only a small fraction of intrusions have cost beyond cleanup
- there are simple intrusions with high direct and indirect costs
Copyright 2000, Massachusetts Institute of Technology.
All rights reserved.
- can one afford NOT to do vulnerability assessment?