This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Vattenfall is implementing Octave method for information security Risk assessment. Phase 1 of the octave is completed successfully and now phase 2 is going to start. The CSO of Vattenfall is very keen to know about threats and vulnerabilities in Vattenfall's IT infrastructure so that appropriate decisions can be made during phase 3. The CSO has requested CISO to prepare a report about what will be included in the Phase 2 of octave to find out all vulnerabilities and threats.
Vulnerability evaluation is not just running a bunch of tools on all computing devices such as workstations, servers and other network components. Rather it is a systematic process based on several steps that has to be followed carefully. It helps organizations to find out security holes or weaknesses in its IT infrastructure.
Vattenfall has successfully completed phase 1 of octave and now it is going to start vulnerability evaluation (phase 2) of octave. During this phase, the IT infrastructure of Vattenfall will be examined to find out all possible security holes. At the end of phase 1 of octave all critical assets of Vattenfall have been identified. This information will be used as an input in phase 2. The evaluation process consists of two phases. In the first phase all the key technological components of vattenfall will be identified and in the second phase these components will be evaluated to find out vulnerabilities. 
What are Vulnerabilities
Vulnerability is a weakness in software, hardware or a procedure that an attacker can exploit to gain unauthorized access to a system or a network. Vulnerability results by absence of a safeguard or control mechanism in an environment. For example weak passwords, unpatched operating systems or applications, open ports in firewall that are not being used and lack of physical measures in a data center are types of different vulnerabilities in an environment . Vulnerabilities in software and hardware can be divided into three categories which are design vulnerabilities, implementation vulnerabilities and configuration vulnerabilities. These vulnerabilities deal with the issues in design, implementation and configuration of a software or hardware respectively. In vulnerability evaluation the primary focus will be on configuration issues in software and hardware installed in Vattenfall's IT infrastructure. Configuration vulnerabilities can include for example default passwords, wrongly assigned permissions to files, vulnerable services and other known technology weaknesses. 
A security threat is a possibility that someone can find a weakness present in the IT environment and can exploit that weakness to cause harm. The person or entity that exploits the weakness and cause harm is called a threat agent.
----------------Needs more data and refining------------------------------
Identifying Key Components
Vulnerability evaluation in octave starts with identifying key components in the IT infrastructure. This step is carried out by the core analysis team and requires special skill set. The analysis team should be familiar with business and IT environment of vattenfall and should know how users use these IT resources to perform their tasks. The members of the analysis team should also have good communication and analytical skills. The most important skill set required is the understanding of different vulnerabilities, exploits and tools required to find these vulnerabilities. Individuals with special skill set such as penetration testing can be added to the analysis team but in case of vattenfall it will be done by an external consultant. 
There are two main activities in this step which are,
identify key classes of components
indentify infrastructure components to examine
The purpose of these activities is to select components of vattenfall's IT infrastructure for vulnerability evaluation. It requires that the analysis team has sufficient information about IT infrastructure which can be gained by network diagrams, network mapping tools or by having a list of computer inventory of vattenfall. The following section further describes these two activities in detail. 
Selecting key classes of components
In this activity all the network paths of vattenfall's IT infrastructure will be examined to see how information can be accessed by people from inside or outside the organization. The purpose is to identify all those network paths through which an attacker can gain access to information and thus identifying key IT components of vattenfal's infrastructure. Figure 1 describes this whole scenario in context of asset, access, actor, motive and outcomes. 
Fig 1: Relationship between threats and components 
To conduct this step first it is necessary to identify all those systems that are linked with critical information assets of vattenfall. These are the systems through which vattenfall's user access information on critical assets to perform their tasks. These systems can be for example those that store and process information of critical assets or the one that are used to access a software application. These systems can comprise of different classes or types of components for example workstations, servers, network components and storage devices. So next all these components will be identified that are part of important systems in vattenfall's infrastructure. At the end this will provide a concrete list of all those components of vattenfall's IT infrastructure that will be included in vulnerability evaluation. 
Selecting Components for Evaluation
After identifying all important IT components of vattenfall's IT infrastructure the next step is to select some components from each class of components to include in vulnerability evaluation. The octave method is based on the principle of critical few so it is not required to include all important components inside a class of component for vulnerability evaluation. However sufficient numbers of components are required to be selected. Network diagrams are helpful in this step. Accessibility of a component and its criticality for business operations is also required to be analyzed to avoid any interruption in business operations. 
Selecting Evaluation Approach
After having a list of all components for evaluation the next step is to select evaluation approach. Vulnerability evaluation can be performed by experts within the organization, external consultants or by managed service providers. In case of vattenfall the evaluation will be performed by an external consultant. Following things should be considered in case of hiring services of an external consultant; 
How to communicate requirements to the consultant.
How to evaluate that the consultant has fulfilled the requirements and what will be the criteria.
At what time the evaluation will start. It is recommended that this should be after office hours.
All stakeholders should be identified regarding schedule of the evaluation.
Besides these considerations, for every evaluation we need to;
Obtain management approval before starting evaluation.
Take into account legal implications.
Notify all stakeholders if there are any side effects of the evaluation. For example if during the evaluation a system will not be accessible then all stakeholders should be notified.
For vulnerability evaluation there are many commercial and free tools available that automate the vulnerability evaluation process. These tools can perform operating system scanning, application scanning and network infrastructure scanning etc. Besides these automated tools there are many checklists that can be performed manually during evaluation. Before starting the evaluation and running these tools it is also very important to complete study about these tools to select appropriate one. In case of vattenfall, the evaluation will be performed by external consultant so selection of tools will be performed by consultant. Still in this case it is important to acquire the list and details of these tools from the consultant. 
Evaluating Selected Components
The first part in vulnerability evaluation was to select the key components in Vattenfall IT infrastructure and now the second part is to evaluate those components to complete vulnerability evaluation phase in octave. For vattenfall this step will be performed by external consultant. The consultant or team of consultants is expected to provide a preliminary summary report about all vulnerabilities that were found during the assessment. 
The next step in this phase is to review found vulnerabilities and prepare recommendations to mitigate them. For this purpose a workshop will be conducted in which core analysis team, IT staff and external consultant will participate. The review will be lead by the external consultant and its agenda is to understand found vulnerabilities, their potential effect and their mitigation solution. The output of this discussion will be used as input to the preliminary summary report developed earlier to make appropriate changes and refine it further. 
The last step in this activity is to develop actions and recommendation to mitigate found vulnerabilities in Vattenfall's IT infrastructure. It will include the procedures to address vulnerabilities, timeline to implement these procedures and who will be responsible to perform these tasks. In the preliminary report all found vulnerabilities are ranked according to their severity level e.g. High, Medium and Low. High ranked vulnerabilities are required to be addressed immediately whereas medium and low ranked vulnerabilities can be addressed later on. But it is important to make sure that appropriate timeline is defined even for medium and low ranked vulnerabilities as they can collectively result in a high ranked vulnerability.