| Summary: | <p>Assessing the vulnerability of an enterprise’s infrastructure is an important step in judging the security of a network and the trustworthiness and quality of the information that flows through it. Currently real-world infrastructure vulnerability is often judged in an ad hoc manner, based on the criteria and experience of the assessors. While methodological approaches to assessing infrastructure vulnerability exist, in practice they are not academically rigorous, having grown organically to meet business requirements. Our aim in this paper therefore is to study infrastructure vulnerability from a more structured perspective. We introduce and explore a novel way of assessing computer network infrastructure vulnerability. Instead of attempting to find vulnerabilities in infrastructure, we instead assume the network is insecure, and measure its vulnerability based on the controls that have (and have not) been put in place. We consider different control schemes for addressing vulnerability, and look at how one of them, namely the Council on Cyber Security’s Top 20 Critical Security Controls, can be applied.</p>
|
|---|