The NVA Process, Step-by-Step (2/5)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Network Vulnerability Assessment Methodology 63

Determining the actual risk in terms of real potential loss to a particular

asset requires a clear understanding of what is sensitive and critical to the

enterprise. This is why careful interviewing of staff in Phase II and close

collaboration with top management and network administrators throughout

the NVA process are so important.

Bear in mind that the analysis needs to meet the business objectives or

mission of the enterprise. The more you communicate with the business units

and users during the NVA process, the more they will understand the context

in which the ﬁnal recommendations are communicated. In the end, what the

sponsor wants to know is how to protect the business and what needs to be

done to ensure that the company can recover and continue operations in the

event of a critical service interruption.

Threat Analysis

Listed below are the critical areas related to threats and vulnerabilities that

you should be sure to cover in your analysis. When you begin, you should

use these to guide the inspection and analysis processes. Be sure and famil-

iarize yourself with these issues before you begin Phase II; knowledge of

these areas will assist you in gathering the information you need to perform

a thorough analysis. Areas of investigation include:

 Application development

 Auditing

 Firewalls

 Organizational suitability

 Personnel

 Physical plant and facilities

 Standards and practices

 Technical safeguards

 Training

Security Policy

A security policy is the basis of any coordinated security effort and provides

a framework from which to assess the security practices of the organization.

Therefore, it is the starting point for an NVA. If the organization does not

currently have a security policy, you will need to assess what is currently

being done to provide security and make recommendations about writing a

security policy. (Note: Information Security Policies, Procedures and Standards

is available through Auerbach Publications.)

When analyzing security issues involving the company’s security policies,

the NVA team should consider the following:

 Does it explicitly state what is and is not permissible (e.g., employees can

hold outside jobs, but employees cannot work for a competitor)?

 Does it cover all security-related factors in the company, from network

security to physical security to noncompete agreements?

64 Managing Network Vulnerability Assessment

 Is the policy distributed to and understood by the company’s workforce?

 Have actions ever been taken as a result of violations of the policy?

Security Handbook

ISO 17799 and industry practice recommend that every organization have a

security handbook targeted to all employees. This handbook translates the

company’s security policy into speciﬁc practices for its employees, demon-

strating how the security policy applies to them.

If the company has a security handbook, the NVA team should consider

the following:

 Does it ensure that users can implement the security policy correctly?

 How speciﬁc is the security handbook? Does it address issues in general-

ities, or does it give speciﬁc examples?

 Does it show users how the company security policy affects the business

objectives or mission?

 Does it make clear the consequences to the employee of not following

the security policy?

 Does it give users an understanding of their responsibilities and stress the

degree of personal accountability?

 Does it show users how to apply the security policy and procedures in

their speciﬁc working environment?

 Does it cover security policies for remote users and “on-the-road” staff?

 Does it provide a method for reporting suspected security violations and

explicitly support “whistle-blowers”?

It is imperative that employees receive these messages from their security

handbook and their managers. The risk of ignorance is employees who are

unsure about security and their role in upholding the organization’s security

practices. Experience shows that employees will assume they can do something

rather than that they cannot do something (e.g., download public-domain

software).

Standards and Practices

Standards and practices are the means by which a security policy is imple-

mented throughout an organization. They help translate the high-level concepts

of the policy into the day-to-day practice.

When assessing the security issues involving standards and procedures, the

NVA team should consider the following:

 Does the company have the procedures in place to implement its security

policy?

 Do the practices clearly reﬂect the goals of the security policy and how

that policy supports the business objectives or mission of the enterprise?

Network Vulnerability Assessment Methodology 65

 Does the company have a procedure for continually evaluating its current

systems, security, and practices against new computing implementations

and processes?

 Do project managers and senior management support security practices?

 Are the company’s practices and standards intrusive? Do they hinder

productivity?

Document Handling

Standards and practices should include document handling. Procedures for

document creation, storage, backup, archival, retrieval, use, protection, track-

ing, and disposal need to be speciﬁed.

When assessing the security issues involving the document handling pro-

cess, the NVA team should consider the following:

 Does the company have a reasonable and usable asset classiﬁcation scheme

for enterprise information, both hard copy and online documentation? Asset

classiﬁcation is the process by which an organization categorizes informa-

tion and implements controls based on its level of sensitivity. Note that it

is particularly important that proprietary information is classiﬁed as such,

and personnel information is classiﬁed as conﬁdential with appropriate

controls.

 Is conﬁdential material stored in a secure location (locked cabinets for

hard copies; directories with limited access for online documents)? U.S.

courts have determined that proprietary information (trade secrets) may

not be considered proprietary if it can be demonstrated that the information

was freely available to all employees.

 Is the classiﬁcation scheme followed? You should have a copy of the asset

classiﬁcation standards; check to see if you can ﬁnd sensitive documents

left in insecure locations in violation of the stated standards.

 Is conﬁdential material printed in an insecure area? Are printouts left

overnight on the printer or in the photocopy machine?

 Are conﬁdential materials disposed of in a wastebasket, rather than a

shredder?

 Are conﬁdential materials destroyed properly? Is the removal and destruc-

tion of conﬁdential materials monitored by a trusted employee?

 Are backup media in a secure location with monitored access?

 How is the information record inventory managed and controlled?

 How accessible are sensitive documents? Are they easily accessible to those

who have the authority to view them?

 Are practices in place that allow detection of unauthorized changes to

documents?

Incident Handling

A security incident is commonly deﬁned as any unwanted change in the

security status quo of an infrastructure. Examples include a key resource that

66 Managing Network Vulnerability Assessment

crashed due to an operating system bug, virus problems in ofﬁce PCs, or an

attack on the infrastructure by a malicious person (an insider or outsider) (Note:

Critical Incident Management is available through Auerbach Publications.)

When assessing the company’s incident handling procedures, the NVA team

should consider the following:

 Has the company deﬁned what constitutes a security incident?

 Are procedures in place to follow during a security incident?

 Are standards established on when to pursue an incident?

 Is there a process to determine when to prosecute an incident?

 Has the organization formed a computer incident response team (e.g., CIRT)?

 Are procedures in place to handle public relations during a security event?

 Is the organization actively monitoring the network infrastructure for secu-

rity violations?

If the enterprise is not prepared for a security event, it is much less likely

to recognize when an incident has occurred. For example, if system events

are not logged, it may be impossible to recognize a system anomaly that

indicates someone is trying to obtain illegitimate access to the system.

Furthermore, if someone has once gained undetected access to the system,

the attacker is likely to try again, guessing that because the security hole he

or she used to gain access is still available, the original hack went undetected.

The probability that the company network will be attacked again while it is

still vulnerable is correspondingly higher. Understanding the probability of a

security incident and being prepared to deal with one gives the company the

opportunity to detect security incidents expeditiously. With incident handling

guidelines in place, the organization can control the situation and limit the

damage.

Asset Protection Management and Awareness

When assessing the level of protection management and awareness in the

network environment, the NVA team should consider the following:

 Have levels of trust been established within and outside the organization?

In this case, “trust” can be deﬁned as the ability of the system to perform

data actions with integrity, to keep conﬁdential information private, and

to perform without interruption. The amount of trust you have in the

system is partly a function of the quality of the protection of corporate

assets.

 Are there business continuity and technology disaster recovery procedures

in place? Have the plans been tested? It is always a good idea to test the

procedures; just like ﬁre drills, the results provide useful data about ﬂaws

in the disaster recovery process.

 Has the backup media been tested to ensure that they contain retrievable

data?

 How is access determined and monitored?

Network Vulnerability Assessment Methodology 67

 Is access revoked in a timely manner?

 What incidents have occurred recently? How were they handled?

 What were the employees’ reactions to the incident handling?

 Could the incidents reoccur?

Organizational Suitability

When there is a mismatch between an organization’s security policy and

procedures and its corporate goals and environment, inevitably the security

policy will not be honored in practice. If they do not work in that particular

environment, they will not be implemented consistently or accurately. Security

policy and procedures are only as strong as management’s commitment to

their practice. When assessing the organizational suitability of a security policy

and procedures, the NVA team should consider the following:

 Is senior management openly supportive of the information security pro-

gram?

 Do managers observe the security policy in their business practices?

Employees will value that which their managers and senior management

value.

 Are the employees able to perform their duties efﬁciently and effectively

while following security procedures? Highly intrusive security procedures

can stiﬂe employee productivity. Either employees will spend more time

worrying about following procedures than actually getting the job done,

or they will use “short-cuts” to limit the irritation of doing the procedures

properly.

 Does the company have the resources to adequately fund and staff its

security efforts? For example, if the organization has a policy that states

that no public-domain software can be run before a system administrator

clears it, does the organization have the employees to support this? If the

resources do not exist, then the result is that employees will run unap-

proved software, in contravention of the established policy.

 Does the enterprise enforce security policy throughout the organization?

This goes along with clearly visible management support. If employees

perceive that management support for security enforcement is weak, they

will not be motivated to observe security practices.

Personnel Issues

An organization’s security policy and procedures should be followed by all

categories of staff (e.g., full- and part-time employees, contractors, temps, and

interns). To work effectively, employees need to know what is expected of

them and have the management and resource support they need to do their

jobs.

When assessing the security issues involving employees, the NVA team

should consider the following:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for The NVA Process, Step-by-Step (2/5)

Create new playlist

Sign In

Sign Up

Table of Contents for
The NVA Process, Step-by-Step (2/5)