66 Managing Network Vulnerability Assessment
crashed due to an operating system bug, virus problems in office PCs, or an
attack on the infrastructure by a malicious person (an insider or outsider) (Note:
Critical Incident Management is available through Auerbach Publications.)
When assessing the company’s incident handling procedures, the NVA team
should consider the following:
Has the company defined what constitutes a security incident?
Are procedures in place to follow during a security incident?
Are standards established on when to pursue an incident?
Is there a process to determine when to prosecute an incident?
Has the organization formed a computer incident response team (e.g., CIRT)?
Are procedures in place to handle public relations during a security event?
Is the organization actively monitoring the network infrastructure for secu-
rity violations?
If the enterprise is not prepared for a security event, it is much less likely
to recognize when an incident has occurred. For example, if system events
are not logged, it may be impossible to recognize a system anomaly that
indicates someone is trying to obtain illegitimate access to the system.
Furthermore, if someone has once gained undetected access to the system,
the attacker is likely to try again, guessing that because the security hole he
or she used to gain access is still available, the original hack went undetected.
The probability that the company network will be attacked again while it is
still vulnerable is correspondingly higher. Understanding the probability of a
security incident and being prepared to deal with one gives the company the
opportunity to detect security incidents expeditiously. With incident handling
guidelines in place, the organization can control the situation and limit the
damage.
Asset Protection Management and Awareness
When assessing the level of protection management and awareness in the
network environment, the NVA team should consider the following:
Have levels of trust been established within and outside the organization?
In this case, “trust” can be defined as the ability of the system to perform
data actions with integrity, to keep confidential information private, and
to perform without interruption. The amount of trust you have in the
system is partly a function of the quality of the protection of corporate
assets.
Are there business continuity and technology disaster recovery procedures
in place? Have the plans been tested? It is always a good idea to test the
procedures; just like fire drills, the results provide useful data about flaws
in the disaster recovery process.
Has the backup media been tested to ensure that they contain retrievable
data?
How is access determined and monitored?