Sample NVA Report 225
Finding 3: Risk Analysis Procedure....................................................
Finding 4: Incident Management and Response...............................
Finding 5: Information Awareness Program......................................
Security Architecture .................................................................................
Finding 1: Intrusion Detection System...............................................
Finding 2: Security Architecture .........................................................
Access Control Methodologies .................................................................
Finding 1: User Identification and Authentication............................
Finding 2: Password Strength .............................................................
Finding 3: Unencrypted Passwords....................................................
Finding 4: User Account Management...............................................
Physical and Operational Security ...........................................................
Finding 1: Violations of Operations Security Procedures ................
Finding 2: Violations of Physical Security Procedures .....................
Finding 3: Physical Access to Critical Workspaces ...........................
Telecommunications and Network Security ............................................
Finding 1: SNMP ..................................................................................
Finding 2: TCP Sequence Prediction .................................................
Finding 3: Outside Availability of Telnet...........................................
Finding 4: Firewall, DMZ, and Proxying ...........................................
Finding 5: Anomalous Network Events .............................................
Applications and Systems Security...........................................................
Finding 1: Developer Access to Production Systems .......................
Finding 2: Sun Development Cluster.................................................
Finding 3: Mail Server .........................................................................
Finding 4: Production Web Server ISAPI Vulnerability ....................
Finding 5: Development Web Server .................................................
Finding 6: WINS/DHCP Server XXX_ntadmin...................................
Finding 7: Null Sessions......................................................................
Finding 8: Visual Basic Scripting........................................................
Finding 9: Default Workstation Install ...............................................
Finding 10: Configuration Audit and Change Control Findings ......
5.0 Vulnerability Assessment Test Protocol.........................................................
Zero-Information-Based (ZIB) Footprint Analysis ..................................
Address Space Scan...................................................................................
Point Scan ..................................................................................................
Document Examination.............................................................................
Platform Configuration Assessment..........................................................
Network Scan/Attack Simulation from within the Target
Network Segment............................................................................................
Verification .................................................................................................
Analysis and Reporting .............................................................................
6.0 Exceptions to the Vulnerability Assessment Test Protocol..........................
7.0 Standards Applied...........................................................................................
Common Criteria .......................................................................................
Common Methodology .............................................................................