The NVA Process, Step-by-Step (3/5)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

68 Managing Network Vulnerability Assessment

 Are there enough employees to support current business goals? Security

errors and “short-cuts” are more likely to occur in highly stressed environ-

ments. If people are under pressure to produce under tight deadlines,

careful observance of security practices is likely to be the ﬁrst casualty.

 Do employees and project managers know their roles and responsibilities?

Are current employees performing necessary and sufﬁcient tasks, or could

any of their tasks be considered wasteful? Ensuring that only necessary

jobs are being done helps employees focus on keeping the essentials well

organized. Ensuring that a sufﬁcient job is being done ensures that time

is not wasted in correcting problems caused by incomplete solutions. Efforts

past sufﬁciency in a resource-poor environment are wasteful.

 Are employees performing their tasks efﬁciently and effectively? Ensuring

that work is efﬁciently and effectively performed saves time and energy,

allowing employees to complete tasks to a sufﬁcient performance level.

 Are employees properly trained? Do they have the necessary expertise to

implement security practices identiﬁed by the assessment process? Employ-

ees cannot implement that which they do not understand. Also, the

organization needs to be sure that technology expertise is not concentrated

in any single employee. What happens if key employees are disabled or

unavailable? It is a good idea to spread critical knowledge around so that

the loss of one critical employee does not precipitate a security incident.

 Does the organization need to acquire additional security expertise? Can

current employees acquire additional expertise from training? From an

employee skill assessment, the organization can determine where its

employees lack qualiﬁcations and experience. Increased security may

require additional, specialized expertise, which may be obtained by training

employees.

 Does the organization need to hire outside expertise (consultant)? What

are the security issues associated with outsourcing? Before adding outside

expertise, the organization should evaluate the risks associated with out-

sourcing such activities.

 Does the organization handle employee terminations in such a way that

data and physical security are maintained? Human resources procedures

for employee termination need to be documented. For example, system

administrators need to be formally notiﬁed by HR in a timely manner when

someone leaves the company. System administrators need to know that

employees and contractors are legitimate and what level of access they

should have to company information.

Physical Plant and Facilities

The security of company equipment and facilities is just as important as the

security of the network infrastructure. Inadequate physical security may allow

theft or sabotage of information, and compromise the network. Once the

network is compromised, the expectation of trust has been violated.

When assessing physical and facility security, the NVA team should consider

the following:

Network Vulnerability Assessment Methodology 69

 How is access to the buildings and computing facilities controlled?

 Who and how many have access to computing facilities? Computing

facilities should be accessible to only staff members who have a demon-

strated need for access. Automatic doors can be a security risk because

they often close slowly, allowing “tailgaters” to gain access. Movement

sensors that unlock doors also represent a risk.

 How is after-hours access controlled? Who has access to the building after

hours?

 Are systems and other hardware adequately protected from theft?

 Are systems and hardware adequately protected from physical tampering?

For example, are critical systems or communications links adequately

protected? All the security employed across a network will be useless if

an intruder can get at the network cabling or connections and sabotage

them.

 How is trash disposed of? Are the members of the cleaning crew bonded?

 Are packages checked when carried into or out of the facilities?

 Does the security policy conﬂict with the corporate culture? If the organi-

zation reposes complete conﬁdence in its employees, then certain security

practices may not be acceptable. For example, it may not be “culturally”

possible to monitor building access after hours, although it is certainly

technically feasible.

After-Hours Review

Part of assessing physical security includes an after-hours review. The purpose

of this review is to see how well security is implemented during off-hours.

Even if security is enforced during working hours, the organization is at risk

if sensitive or critical information and systems are accessible after hours.

The NVA team should consider the following:

 Is conﬁdential information found in publicly accessible dumpsters? Yes,

you will need to do some “dumpster-diving” to determine the answer to

this question. You can also check wastebaskets after people have left but

before the cleaning crew has arrived.

 Is conﬁdential information left visible in unlocked ofﬁces and work areas?

 Does the cleaning crew have access to locked ofﬁces?

 Are workstations and servers left unlocked? Does the cleaning crew have

access?

 Are keys left in accessible areas? Are passwords posted visibly?

 Is the building completely locked?

 What procedures does the cleaning crew follow (e.g., do they prop doors

open)?

Training

The risk of not providing appropriate training for all employees is employees

believing they have all the skills and knowledge necessary to perform their

70 Managing Network Vulnerability Assessment

jobs. Employees may have the necessary job skills but they can be ignorant

of the security procedures they are expected to follow. Training translates the

policy and procedures given in the corporate security handbook and makes

them applicable to each employee’s job functions.

When assessing the security training at an organization, the NVA team

should consider the following:

 Do employees know the business direction and goals?

 Do employees receive security-related training speciﬁc to their responsi-

bilities?

 Are employees receiving both positive and negative feedback related to

security on their performance evaluations?

 Are employees aware of the security-related risks of their jobs?

 Are system administrators given additional security training speciﬁc to their

jobs? Security-speciﬁc training will make system administrators aware of

new developments in security, new threats that emerge, and the technical

advances that give hackers new methods for breaching an organization’s

security.

Auditing and Oversight

Security controls must be managed, tested, and enforced once they are in

place. When assessing the oversight of the company’s security policy and

procedures, the NVA team should consider the following:

 Who is responsible for performing security audits? This could be a political

“hot potato.” Most organizations have an internal audit role or department.

It makes sense that security auditing should be a responsibility of this

group, but it does not always happen that way. Regardless of who is doing

the auditing, be sure to evaluate whether that person(s) has the training

to perform an adequate security audit. The process and responsibilities of

the security audit function should be documented. Approach this issue

with caution. Auditors know their job and perform it very well. Make sure

that this topic is handled correctly.

 Are the security policy and procedures routinely tested? Are audits per-

formed on a regular basis?

 Are exceptions to the security policy justiﬁed and documented?

 Are reporting mechanisms in place on the systems (e.g., system logging,

monitoring, and assessment tools)?

 Who controls these and the data reported by them?

 Is the data stored in a secure location? How often are the logs reviewed?

 Are appropriate system, machine, and user parameters checked (conﬁgu-

ration, management, ﬁle system, version numbers, trafﬁc, etc.)?

 Are errors and failures tracked? Are anomalies deﬁned and ﬂagged?

 Are recurrences of these errors and failures prevented?

 When operator or user error or oversight is detected, is appropriate training

or disciplinary action taken?

Network Vulnerability Assessment Methodology 71

 Is a security incident response capability alerted when a security incident

occurs?

 Who reviews the audit results?

Application Design, Development, Deployment, and Management

It is recommended that all organizations formalize their application develop-

ment process, which includes architecture, design, implementation, testing,

deployment, and security issues.

When assessing the security issues involving the application development

process, the NVA team should consider the following:

 Is testing performed in an isolated environment?

 Is there a documented promotion-to-production procedure in place?

 How is the deployment of new applications approached? Is it phased into

the production environment?

 How is data management handled? Is the data master stored securely?

 How is labeled data processed, transported, stored, and disposed of? The

risk of not examining and securing separate steps of the application

development process leaves the organization vulnerable to attack from

within by disgruntled employees.

Technical Safeguards

Technical safeguards enforce security policy and procedures throughout the

network infrastructure. The NVA team should assess the organization’s tech-

nical safeguards by network type (e.g., LANs and WANs), network connections

(e.g., bridges, routers, and gateways), and platform (e.g., desktop systems,

ﬁle servers, and application servers). The assessment of technical safeguards

makes up the greater part of the NVA.

When assessing the technical safeguards of the network infrastructure, the

NVA team should consider the following:

 How is the network partitioned?

 How are desktop platforms secured?

 How are host systems and servers, as well as application servers, secured?

Is the security commensurate with the trust level and risk?

 Are passwords and accounts shared? Are passwords managed securely?

 Are there unsecured user accounts in use (e.g., guest)?

 Is network management robust? Do network and system administrators

have adequate experience and training to implement security correctly?

 What reporting mechanisms are used? Who reviews the reports?

 Are permissions set securely? How are permissions determined?

 Are administrators using the appropriate tools to perform their jobs?

 Is there a complete network diagram available? How current is it?

 How is access controlled?

72 Managing Network Vulnerability Assessment

 What network controls are being used?

 How is connectivity controlled?

 How is remote access controlled?

 Are critical systems protected with appropriate access controls?

 What vulnerabilities are inherent (known bugs) in the systems and appli-

cations in use?

 Have all systems and applications been brought up-to-date with appropriate

patches and ﬁxes (against known bugs and vulnerabilities)?

 Are critical systems adequately protected (e.g., are they backed up or

replicated)? Are the backup media securely stored?

 What security auditing and assessing is being performed?

 How are backups scheduled and implemented?

 Is the data stored on laptops subject to more stringent security controls?

Firewalls

Assessing the security of a ﬁrewall begins with the organization’s network

security policy, which deﬁnes exactly what protocols are allowed to penetrate

a security perimeter and under what conditions those penetrations are allowed.

If such a policy does not exist, the NVA team should examine the internal

infrastructure and its requirements and then report its determination of what

this policy might be like and what it would need to contain.

When assessing the security of an organization’s ﬁrewall, the NVA team

should consider the following:

 What protocols are allowed to go across the ﬁrewall, and under what

conditions? Typically, a common rule is used, such as: everything not

explicitly disallowed is allowed. However, industry experts and NIST

Special Publication 800-41 “Guidelines on Firewalls and Firewall Policy”

recommend using the opposite of this rule by explicitly identifying con-

nectivity: everything not explicitly allowed is disallowed.

 Is the approach used appropriate, given the economics of the organization,

administration requirements, security control requirements, and any other

factors the company has speciﬁed?

 Are the ﬁrewall and its role sufﬁcient for the task of securing the organi-

zation from outside penetration?

 What products are used to implement the ﬁrewall? Are the ﬁrewalls the

most effective for this operating environment? Have the products been

rigorously tested in this environment?

 How is the ﬁrewall administered? Are audit logs maintained and reviewed?

 What services are offered across the ﬁrewall? How can existing services

be operated better? Are there other services that can be offered to meet

corporate goals?

 What is the internal structure of the network? What is the network con-

struction of the ﬁrewall? Where is it located in the network? How is the

connection made and administered?

 What practices exist to apply patches as soon as they become available?

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for The NVA Process, Step-by-Step (3/5)

Create new playlist

Sign In

Sign Up

Table of Contents for
The NVA Process, Step-by-Step (3/5)