58 Managing Network Vulnerability Assessment
Project management skills and knowledge:
– Client presentations
– Project planning and administration
– Effective communication (oral and written)
– Leadership
Policy examiner skills and knowledge:
– Research and analysis
– Security industry standards (ISO 17799, GASSP)
– Threat analysis
– Principles of security management
– Business continuity and disaster recovery standards
Technical examiner skills and knowledge:
– Client and server OS, NOS, UNIX, Linux hardware devices
– Software and hardware configuration management
– Reported bugs and security flaws
– Network and system testing protocols and devices
– Physical plant security
Other necessary skills and knowledge:
– Curiosity and willingness to investigate
– People skills: ability to nonthreateningly ask questions and provide
suggestions
– Strong knowledge of communications technologies, both hardware and
software
The NVA Process, Step-by-Step
This section provides details on the phases and sub-tasks involved in per-
forming an NVA, and discusses the essential tasks in each phase and how to
Exhibit 4. NVA Sample Schedule
2 4 6 8 10 12
Phase
I
Phase
II
Phase
III
Phase
IV
Phase
V
Planning
Analysis
Draft Report
Final Report
Interviews, Data
Collection
Network Vulnerability Assessment Methodology 59
do each of the tasks and sub-tasks. Many of the documents referenced in this
section can be found in the Appendices section of this book.
Project Initiation
Once the project has been assigned, the project or team lead will have to
initiate the steps that follow. Each project requires a project plan as discussed
in Chapter 2. At a minimum, the project lead and NVA team will have to
ensure that these tasks are conducted.
The NVA Team is assembled; team roles are tentatively assigned.
The NVA Team Lead develops detailed project plan.
Hold a kick-off meeting with the sponsor and the Pre-NVA Checklist (found
in Appendix B).
Project process, client expectations, project calendar established.
A detailed project plan is approved by the sponsor.
Phase I: Data Collection
The NVA team draws up list of required documents and submits to client
liaison (point-of-contact, POC) (see Appendix B for sample documentation
list). Once this checklist is completed, the team will do the following:
Review applicable state and federal laws affecting this particular client.
Review available documentation; note areas of concern.
Draw up a list of known bugs and security vulnerabilities to test for in
the client environment.
Phase II: Interviews, Information Reviews, and Hands-On
Investigation
The steps that the NVA team should perform during this phase of the process
inlcude:
The NVA team defines roles or functions about which it wants to gather
information.
The Team Lead and POC develop an interview schedule.
The client POC arranges interviews with appropriate client staff members
and provides office space for the NVA team
Appropriate members of the NVA team interview identified appropriate
staff members and other identified personnel. Note: sufficient and legible
notes should be taken to document the information received from the
interviews.
The NVA team (usually) requests additional documents (that were not
provided in Phase I).
The NVA team requests additional interviews, as needed.
60 Managing Network Vulnerability Assessment
The Team Lead requests facility and network clearance and passwords for
team members from the client POC, as required.
The NVA team tours computing facilities and conducts tests of operating
systems, hardware, network devices, and software.
The NVA team tours facilities and performs physical plant inspection.
Interviews
Interviews are conducted with key infrastructure support personnel and key
business units. Interviews are also conducted with other third-party customers
of the network environment. These interviews may continue after Phase IV
(Draft Report) as issues arise or clarifications are needed.
The people who should be interviewed include those employees who are
in charge of:
System design and architecture
Support services (customer support, technical support, help desk support)
System management and administration
Security policy design
System installation
The NVA team should try to make the interview as nonthreatening as
possible to the employee being interviewed. The interviewee should be
informed that an assessment — not an audit — is being conducted. Addition-
ally, the interviewee is not the specific focus of an investigation. It is the
objective of the interview to get the interviewee to view this process as an
opportunity to share comments regarding security and to make recommenda-
tions as to what needs to be changed without fearing any repercussions.
The key subject areas that need to be discussed during the interview
process include:
Who the employee is and his or her relationship to the network
What data the employee accesses, how this is done, and what applications
are made available to the employee, and for what purposes
What the employee perceives to be critical or sensitive data and resources
2
What the employee’s understanding is of company security policies and
procedures
What security vulnerabilities the employee is aware of
What changes or solutions the employee would recommend to improve
corporate security practices
Hands-On Investigation
This technical information is gathered from probing the network, evaluating
central servers, investigating system and network configurations, and observing
network usage. Critical systems and high-risk elements are emphasized in the
report, although you should document other findings (i.e., less critical) as
Network Vulnerability Assessment Methodology 61
thoroughly as is feasible. If you discover any highly critical breaches of security,
you should inform the appropriate persons immediately, and suggest appro-
priate countermeasures. Your hands-on investigation will, at a minimum, cover
the following areas:
Computer operations and telecommunications
System and network configuration
Network access and practices
Collect Additional Documents
During this phase you might come across areas not covered in the checklist
of documents above. Collect documents for these areas (e.g., company-specific
security implementations or policies) from the appropriate business units.
Note: A too rigid adherence to the questions and processes in this
manual may lead you to miss essential information. Be ready to pursue
an interesting avenue that may provide useful insights into the security
policies and practices at the client company. The questions are meant
to provide you with guidelines, not to restrict your judgment in pursuing
other investigative activities in support of the goals of the NVA.
Phase III: Analysis
The process of analysis actually begins with the acquisition of the first
document and only ends in the generation of the Draft Report during Phase
IV. Analysis spans most of the NVA process and generates the majority of
content in the report. The initial and ongoing analysis shapes and directs
further data collection and interviews. In the analysis phase, the objective is
to identify threats and vulnerabilities, and make recommendations to mitigate
the risks by implementing countermeasures. The ideal result of any analysis
is a workable and cost-effective balance among the parts of the risk equation.
During this phase, the NVA team will:
Review, interview, and inspect results and analyze data for security vul-
nerabilities; identify risks to client’s computing assets.
Evaluate vulnerabilities for possible controls or safeguards that can be
applied.
High risk levels may result from threats or vulnerabilities that are severe,
or from countermeasures that are weak. The key is to balance the threats and
vulnerabilities with affordable countermeasures. It is not possible to achieve
an environment in which there are zero threats and zero vulnerabilities, and
it is not possible for an organization to achieve low risk without some
investment in countermeasures.
Analysis of the previously collected data (from Phase II) can focus on
several different areas, both technical and policy related (see Exhibit 5). This
62 Managing Network Vulnerability Assessment
section presents explanations of the analysis process in general, analysis within
various focal areas, and vulnerability hot-spot checklists for each area under
investigation.
Risk Analysis
Practically speaking, evaluating threats and vulnerabilities is best done by
trying to ascertain what types of damage can result from the failure of
countermeasures. Once these basic investigations are performed, risk analysis
looks at ways of dealing with these threats in a cost-effective manner. In fact,
the primary goal of risk analysis is to provide data for making informed
decisions about cost-effective safeguards. The NVA is not, properly speaking,
a risk analysis study, but we do use some of the same assumptions and follow
similar protocols in the course of the NVA. A true risk analysis would attempt
to assign a risk priority to each threat (as previously discussed) by determining
the probability of occurrence and the possible impact. (Note: Information
Security Risk Analysis is available through CRC Press.)
Determining the damage that can result from the failure of countermeasures
is difficult. That is, it is difficult to quantify the potential or probable monetary
loss when a company loses intangibles, such as the following:
System configurations. An accurate, up-to-date network map or system
configuration list could be a critical resource in the hands of an attacker.
Passwords. What does it mean to have a privileged password compromised?
How does an organization value it — at the level of the damage caused?
Information loss. What does it mean to have the Coca-Cola Company lose
its secret formula? How does the organization value the damage — at the
net worth of the company?
Errors. How could a particular database error affect an organization’s
business?
Integrity. What does it mean to lack the ability to detect unauthorized
deletion, modification, duplication, or forgery of data?
CPU cycles and bandwidth. What does it mean to lose the ability to do
some activity because an unauthorized activity is taking place (denial-of-
service)?
Exhibit 5. The Risk Equation
Threats
Risk
Vulnerabilities Safeguards
Assets
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.