234 7.19 Training Staff for the Business Recovery Process
are running on the same host. It makes no assumptions about specific
services being tied to specific hosts.
Test cooperation. The security tests performed by Nessus are designed
to cooperate with services detected on the host so that useless informa-
tion is not reported. For example, if an FTP server does not allow
anonymous logins, then Nessus is intelligent enough to determine that
any anonymous-related security checks need not be performed.
Complete, exportable reports. Nessus will not only tell you what’s
wrong on your network, but will, most of the time, tell you how to
prevent crackers from exploiting the security holes found, and will
give you the risk level of each problem found (risk levels are catego-
rized from Low to Very High). The UNIX version of the Nessus cli-
ent can export Nessus reports in ASCII text, LaTeX, HTML,
“spiffy” HTML (with pies and graphs), and an easy-to-parse delim-
ited file format.
Full SSL support. Nessus has the ability to test SSL-type services such
as https, smtps, imaps, and more. You can even supply Nessus with a
certificate so that it can be integrated into a PKI-like environment.
As you can see, the features available in Nessus allow the auditor many
capabilities to perform audit checks. By varying configurations, the auditor
can vary the depth of the checks to meet the specific needs of the organiza-
tion. It is not uncommon for an auditor to maintain a suite of plug-in mod-
ules that test most common vulnerabilities. Usually, these tools have been
refined by auditors over numerous audits and provide excellent informa-
tion. As a security manager, it is a good idea to start the use of such a pro-
cess in your organization so the auditors can perform their tasks in a more
automated fashion and do their work in shorter and shorter time frames.
For more information on Nessus, the reader is encouraged to visit their
Web site, http://www.nessus.org.
7.19 Training Staff for the Business
Recovery Process
Managing the training process is crucial to establishing an effective BC pro-
gram. To accomplish this, the BC team must develop objectives and define
the scope of training. They must determine what training needs to be con-
ducted and what materials should be used for the training. A schedule
should be prepared for all organizational personnel involved in BC activi-