Finding and Fixing Vulnerabilities in Information Systems
The Vulnerability Assessment and Mitigation Methodology
Download
Read Online Version
VAMM Tool Download
Download eBook for Free
Full Document
| Format | File Size | Notes |
|---|---|---|
| PDF file | 1.5 MB | Use Adobe Acrobat Reader version 10 or higher for the best experience. |
Summary Only
| Format | File Size | Notes |
|---|---|---|
| PDF file | 0.5 MB | Use Adobe Acrobat Reader version 10 or higher for the best experience. |
Purchase
Purchase Print Copy
| Format | List Price | Price | |
|---|---|---|---|
| Add to Cart | Paperback143 pages | $24.00 | $19.20 20% Web Discount |
Understanding an organization’s reliance on information systems and how to mitigate the vulnerabilities of these systems can be an intimidating challenge — especially when considering less well-known weaknesses or even unknown vulnerabilities that have not yet been exploited. The authors, understanding the risks posed by new kinds of information security threats, build on previous RAND mitigation techniques by introducing the Vulnerability Assessment and Mitigation (VAM) methodology. The six-step procedure uses a top-down approach to protect against future threats and system failures while mitigating current and past threats and weaknesses. The authors lead evaluators through the procedure of classifying vulnerabilities in their systems’ physical, cyber, human/social, and infrastructure elements, and identifying which security techniques can be relevant for these vulnerabilities. The authors also use VAM to break down information compromises into five fundamental components of attack or failure: knowledge, access, target vulnerability, non-retribution, and assessment. In addition, a new automated tool implemented as an Excel spreadsheet is discussed; this tool greatly simplifies using the methodology and emphasizes analysis on cautions, risks, and barriers.
Table of Contents
Chapter One
Introduction
Chapter Two
Concepts and Definitions
Chapter Three
VAM Methodology and Other DoD Practices in Risk Assessment
Chapter Four
Vulnerability Attributes of System Objects
Chapter Five
Direct and Indirect Security Techniques
Chapter Six
Generating Security Options for Vulnerabilities
Chapter Seven
Automating and Executing the Methodology: A Spreadsheet Tool
Chapter Eight
Next Steps and Discussion
Chapter Nine
Summary and Conclusions
Appendix
Vulnerability to Mitigation Map Values
Research conducted by
The research described in this report was sponsored by the Defense Advanced Research Projects Agency. The research was conducted the RAND National Defense Research Institute, a federally funded research and development center supported by the Office of the Secretary of Defense, the Joint Staff, the unified commands, and the defense agencies.
This report is part of the RAND Corporation Monograph report series. The monograph/report was a product of the RAND Corporation from 1993 to 2003. RAND monograph/reports presented major research findings that addressed the challenges facing the public and private sectors. They included executive summaries, technical documentation, and synthesis pieces.
This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.