Security Assessments

Security assessments need to support comprehensive evaluations of both the technical and non-technical measures implemented to protect information resources. The method chosen for a particular assessment must provide management with adequate information on which to base protection decisions. Based on the level of assurance intended, a security assessment commensurate with the assurance desired should be conducted.

In conducting an assessment, the following steps should be followed:

  1. Information gathering
  2. Examination of system requirements
  3. Vulnerability Hypothesis
  4. Security review
  5. Investigation and attack
  6. Reporting and recommendation

Information Gathering

With this process all the assets associated with the information resources will be identified. Specific information necessary for conducting some of the various assessments will be included.

Examination of System Requirements

This is a review of the requirements found in all applicable executive orders, organizational policies and procedures, as well as legal aspects.

Vulnerability Hypothesis

This is an analysis of current known vulnerabilities associated with the information resource. This information is acquired from the Web sources and contacts. In addition, advisories from vendors are considered.

Security Review

With this task, formal approval to pursue vulnerability inspections on the information resource from the system owners and management should be attained.

Investigation and Attack

This process is necessary for the selection and implementation of assessment methods.

Reporting and Recommendation

This process includes the briefing of the management about the glaring vulnerabilities, and cracked passwords found during the attack phase of the assessment. It will also alert management and staff about immediate needs to react. At the end, there will be a final report containing the analyzed data and recommendations for short- and log term corrective actions.

Assessment Methods

There are two different assessment methods being used in order to provide the current security posture of a computer network:

Penetration Testing

Penetration-testing services are a component of consulting services. Consulting services also include the development of security policies and procedures, the performance of security vulnerability and risk analysis of networks, and the design and implementation of security solutions. The goal of security consulting services, especially for penetration testing, is to improve or augment the security posture of a network or system.

The testing does not intend to and never should actually cripple or compromise a network. However, testing must detect as many ways to do so as possible. The findings or results of the testing are aimed at improving the security posture of a network by presenting countermeasures for the vulnerabilities identified.

Vulnerability Analysis

Vulnerability analysis, or vulnerability scanning, is the act of determining which security holes and vulnerabilities may be applicable to the target network. In order to do this, the examination of identified machines within the target network is required to identify all open ports, the operating systems and applications the hosts are running. This would also include information about the version number, patch level, and service pack. In addition, the results of the examinations are compared with several Internet vulnerability databases to ascertain what current vulnerabilities and exploits may applicable to the target network.

At the end of the examination, there will be a document listing all target hosts, alive or otherwise, along with the operating system, IP address, running applications, any banner information available, and known vulnerabilities.

In order to remedy the vulnerabilities found, and improve the overall network security, the document also contains recommendations and suggestions.