tailieunhanh - Finding and Fixing Vulnerabilities in Information Systems

Vulnerability assessment methodologies for information systems have been weakest in their ability to guide the evaluator through a determination of the critical vulnerabilities and to identify appropriate security mitigation techniques to consider for these vulnerabilities. The Vulnerability Assessment and Mitigation (VAM) methodology attempts to fill this gap, building on and expanding the earlier RAND methodology used to secure a system’s minimum essential information infrastructure (MEII). | Finding and Fixing Vulnerabilities in Information Systems The Vulnerability Assessment itigation Methodology Philip S. Antón Robert H. Anderson Richard Mesic Michael Scheiern Prepared for the Defense Advanced Research Projects Agency RAND National Defense Research Institute Approved for public release distribution unlimited The research described in this report was sponsored by the Defense Advanced Research Projects Agency. The research was conducted in RAND s National Defense Research Institute a federally funded research and development center supported by the Office of the Secretary of Defense the Joint Staff the unified commands and the defense agencies under Contract DASW01-01-C-0004. Library of Congress Cataloging-in-Publication Data Finding and fixing vulnerabilities in information systems the vulnerability assessment and mitigation methodology Philip S. Anton . et al. . p. cm. Mr-1601. ISBN 0-8330-3434-0 pbk. 1. Computer security. 2. Data protection. 3. Risk assessment. I. Anton Philip S. 2003 dc21 2003012342 RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND is a registered trademark. RAND s publications do not necessarily reflect the opinions or policies of its research sponsors. Cover design by Barbara Angell Caslon Copyright 2003 RAND All rights reserved. No part of this book may be reproduced in any form by any electronic or mechanical means including photocopying recording or information storage and retrieval without permission in writing from RAND. Published 2003 by RAND 1700 Main Street PO. Box 2138 Santa Monica CA 90407-2138 1200 South Hayes Street Arlington VA 22202-5050 201 North Craig Street Suite 202 Pittsburgh PA 15213-1516 RAND URL http To order RAND documents or to obtain additional information contact Distribution Services Telephone 310 451-7002 Fax 310 451-6915 Email order@ PREFACE Vulnerability assessment methodologies for information .