Network Vulnerability Assessment Sample Report 179
Exhibit 5. Key Safeguards (Continued)
Secure Messaging
It is important that all messages containing confidential information be sent
by a secure means within the network environment. This is true even for
information that is being kept within the corporate network. Because the
major threat to your data comes from within the network, it is important that
your data be protected from internal threats. Protection for data that is passed
across the network can be made available through the use of file encryption
software of “link encryption,” where the path the data takes is protected.
Recommendation. Protection for network data can be provided through
the use of file encryption software or “link encryption,” where the path the
data takes is protected. Virtual private networks (VPNs) are an additional
means of protecting data at the network layer.
Access Control (Authorization)
Access control is the process of determining what actions a properly authenticated
individual user can take on the network. “Read, write, and execute” are access
control rights. We found little formal evidence that Bogus has any explicit access
control policies. What access control is there is mostly anecdotal. “Everybody
knows that manufacturing personnel cannot access the finance database.” Every-
one who is responsible for providing access to internal network data is expected
to “do the right thing.” Access control is the method used to control access at a
very granular level and can be managed by a number of products.
Recommendation. Bogus should deploy Authorization Software to enhance
access control on Bogus’ UNIX and NT systems.
Auditing
Auditing allows an organization to determine what actions have been taken
in the network environment. With this information, it is possible to determine
what happened, when it happened, and who did it. This information is
essential for investigations into breaches of data security. Gathering evidence
and establishing events leading up to a security incident require that network,
file, and application data is available. All significant events should be monitored
by detective controls.
Recommendation. The Homer Security Server logs all relevant authentica-
tion events according to system default settings for security logging in a
distributed environment. Even without strict audit implementation, network
management should consider using a variety of auditing software to better
monitor network activities. Logging of significant events in the network needs
to be identified and recorded. The NVA recommends additional deployment
of Intrusion Detection’s KANE products (Monitor and Analyst) or ISS’s SAFE-
suite products (System Security Scanner and RealSecure) for system monitoring
and analysis.