Where would you prioritize scanning a organisations network for vulnerabiltiies?
We do a risk model and prioritize areas for pen testing and vulnerability assessments, but I want to here others views on where you prioritize, or essentially "where to start".
Say you have a typical setup of some users remotely accessing the network be it through citrix or whatever, you have some web servers, SQL Servers, Oracle Servers, Firewallls, VPN access for 3rd parties, 2003 File Servers, Active Directory DC's - several domains, internal users. If you got placed right in the middle and management said prioritize areas to focus on first for vulnerabiltiies, in order of high priority, where would you start? I.e. right we must start with this area first due to impact if compromise, then on to this, then to this etc.... Do you focus on the networks shell first, or the inside, any pointers welcome..