223
Appendix C
Sample NVA Report
SANITIZED CLIENT
VULNERABILITY ASSESSMENT FINAL REPORT
By
------------------------------------------------------------------------
Version 1.3
YOUR COMPANY
This document contains confidential and proprietary information. It is intended
for the exclusive use of the Client. Unauthorized use or reproduction of this
document is prohibited.
VULNERABILITY ASSESSMENT REPORT
Presented to: Client
Michael J. Cannon
Presented by: Your Company
Consultant Name
224 Managing Network Vulnerability Assessment
Vulnerability Assessment Team Members
Version History Information
Table of Contents
1.0 Executive Summary.........................................................................................
2.0 General Opinion .............................................................................................
Personnel....................................................................................................
Policies and Procedures............................................................................
Critical Vulnerabilities................................................................................
Identification and Authentication .............................................................
Intrusion Detection....................................................................................
Conclusion..................................................................................................
3.0 Finding Rating Levels .....................................................................................
4.0 Findings ...........................................................................................................
Security Management ................................................................................
Finding 1: Policy and Procedure Enforcement .................................
Finding 2: Log Review and Auditability ............................................
Name Company Role
Consultant Name Your Company Vulnerability Assessment Data Collection
Consultant Name Your Company Vulnerability Assessment Data Collection
Consultant Name Your Company Regional Security Practice Manager
Consultant Name Your Company Client Services Manager
Consultant Name Your Company Principal Consultant
Consultant Name Your Company Consultant, Security
Michael J. Cannon Client Manager of Network Infrastructure
Michael J. Cannon Client Network Security Analyst
Name Description Date Version
Consultant Name Initial Draft for Client and Internal Review 6/20/02 1.0
Consultant Name Second Draft for Client and Internal Review 7/7/02 1.1
Consultant Name Third Draft for Internal Review 7/14/02 1.2
Consultant Name Final Version 7/20/02 1.3
Sample NVA Report 225
Finding 3: Risk Analysis Procedure....................................................
Finding 4: Incident Management and Response...............................
Finding 5: Information Awareness Program......................................
Security Architecture .................................................................................
Finding 1: Intrusion Detection System...............................................
Finding 2: Security Architecture .........................................................
Access Control Methodologies .................................................................
Finding 1: User Identification and Authentication............................
Finding 2: Password Strength .............................................................
Finding 3: Unencrypted Passwords....................................................
Finding 4: User Account Management...............................................
Physical and Operational Security ...........................................................
Finding 1: Violations of Operations Security Procedures ................
Finding 2: Violations of Physical Security Procedures .....................
Finding 3: Physical Access to Critical Workspaces ...........................
Telecommunications and Network Security ............................................
Finding 1: SNMP ..................................................................................
Finding 2: TCP Sequence Prediction .................................................
Finding 3: Outside Availability of Telnet...........................................
Finding 4: Firewall, DMZ, and Proxying ...........................................
Finding 5: Anomalous Network Events .............................................
Applications and Systems Security...........................................................
Finding 1: Developer Access to Production Systems .......................
Finding 2: Sun Development Cluster.................................................
Finding 3: Mail Server .........................................................................
Finding 4: Production Web Server ISAPI Vulnerability ....................
Finding 5: Development Web Server .................................................
Finding 6: WINS/DHCP Server XXX_ntadmin...................................
Finding 7: Null Sessions......................................................................
Finding 8: Visual Basic Scripting........................................................
Finding 9: Default Workstation Install ...............................................
Finding 10: Configuration Audit and Change Control Findings ......
5.0 Vulnerability Assessment Test Protocol.........................................................
Zero-Information-Based (ZIB) Footprint Analysis ..................................
Address Space Scan...................................................................................
Point Scan ..................................................................................................
Document Examination.............................................................................
Platform Configuration Assessment..........................................................
Network Scan/Attack Simulation from within the Target
Network Segment............................................................................................
Verification .................................................................................................
Analysis and Reporting .............................................................................
6.0 Exceptions to the Vulnerability Assessment Test Protocol..........................
7.0 Standards Applied...........................................................................................
Common Criteria .......................................................................................
Common Methodology .............................................................................
226 Managing Network Vulnerability Assessment
Functional Areas of Vulnerability.............................................................
ISO 17799...................................................................................................
8.0 Reference Model .............................................................................................
The Standard Information Protection Model...........................................
Client Trust Model.....................................................................................
Appendix C-1: List of Tests Performed.................................................................
Network-Based Tests ......................................................................................
List of IP Addresses Tested............................................................................
Specific IP Address Targeted for Point Scans by ISS and NetRecon .........
Specific IP Addresses Used for the ESM Configuration Audit....................
Specific ISS Tests Conducted during Point Scans ........................................
Specific NetRecon Tests Conducted during Point Scans .............................
Specific ESM Policy Tests Conducted ...........................................................
Remote Access Phone Dialing Tests .............................................................
Number Range Dialed ....................................................................................
Numbers Captured (responses received)......................................................
Numbers Responding with a Login Prompt.................................................
Physical Security Tests....................................................................................
Social Engineering Tests.................................................................................
Appendix C-2: Summary Information ...................................................................
Zero-Information-Based (ZIB) Summary.......................................................
Administrative Controls Summary..................................................................
Interviews Summary .......................................................................................
Appendix C-3: Figures and Diagrams...................................................................
Information Security Concept Flow ..............................................................
Client Network Diagram.................................................................................
Appendix C-4: Supplementary Information..........................................................
Supplemental CD Readme File......................................................................
1.0 Executive Summary
Your Company was engaged to conduct a vulnerability assessment (VULNER-
ABILITY ASSESSMENT: VA) on the perimeter and network systems of CLIENT
during the month of June 2000. Your Company’s objective was to discover
significant vulnerabilities within the CLIENT network infrastructure. The find-
ings are to be utilized with a risk analysis to assist in developing an Intrusion
Detection System Architecture for CLIENT.
The most significant findings relate to the overall design philosophy behind
the CLIENT trust model, the lack of a consistent Identification and Authenti-
cation (I&A) scheme, the inconsistent and uneven implementation of and
compliance with existing policies and procedures, a lack of sufficient audit
controls and procedures, and a significant number of vulnerabilities that result
in the network and systems being susceptible to compromise from the internal
network. The detailed VULNERABILITY ASSESSMENT findings are described
later in this document and have been ordered according to severity.
Sample NVA Report 227
The culture and philosophy of the company dictate the trust model. The
trust model of an organization is the philosophical basis upon which the
security architecture is built. The security architecture provides the common
framework for all other security tools, policies, and procedures. CLIENT has
a trust model that assumes the internal users of the network are to be trusted.
This model is designed to meet the business needs of CLIENT in which people
routinely change locations within the building and resources need to be
allocated dynamically. The model is designed to meet the needs of a fluid
and open business environment.
The fluid environment at CLIENT creates a situation in which control
measures cannot be easily added to the network infrastructure. Due to the
lack of sufficient controls, there is an environment that frequently results in
violations of current policies and procedures that are not necessarily prevented
or detected. Additionally, there is not a mechanism in place to provide a
verified and nonrepudiating identity of individuals in the event an intrusion
were to occur. Also, user IDs are locally administered and therefore inconsistent
across systems. Finally, there is an uneven administration of the current policies
and procedures, and there are insufficient reviews of audit logs and information
collected from various systems.
The vulnerabilities found during this assessment present several risks to
CLIENT. The most significant of these is that internal intrusions cannot be
stopped and that both external and internal intrusions cannot be detected.
Information essential to the protection of critical data is not available because
it is not recorded. The situation is further exacerbated by the discovery of
significant vulnerabilities that would allow an internal user to easily compro-
mise the most critical information resources. In effect, an internal user could
access almost any critical aspect of the infrastructure and not only would they
succeed, but there would be no record of the intrusion and there would be
almost no way of proving if the intrusion occurred or did not occur.
In conclusion, Your Company strongly recommends that CLIENT install an
intrusion detection system (IDS) and develop a consistent user Identification and
Authentication Service (I&A) inside the network. Your Company also recom-
mends an increase in internal audit controls to ensure compliance with existing
policies and to ensure that timely and adequate review of log files is occurring.
2.0 General Opinion
This General Opinion will discuss several overarching concerns that became
apparent during the VULNERABILITY ASSESSMENT testing. This discussion is
intended to provide more in-depth and detailed analysis of the various issues
brought forth in the Executive Summary and provides further illumination on
the more significant risks to CLIENT.
Personnel
While several people involved with maintaining the network and systems have
expressed concerns over the access given to entities (such as developers), the
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset